Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200409-32 ] getmail: Filesystem overwrite vulnerability
Date: Thu, 23 Sep 2004 21:03:54
Message-Id: 200409232300.09034.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200409-32
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: getmail: Filesystem overwrite vulnerability
9 Date: September 23, 2004
10 Bugs: #64643
11 ID: 200409-32
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 getmail contains a vulnerability that could potentially allow any local
19 user to create or overwrite files in any directory on the system. This
20 flaw can be escalated further and possibly lead to a complete system
21 compromise.
22
23 Background
24 ==========
25
26 getmail is a reliable fetchmail replacement that supports Maildir,
27 Mboxrd and external MDA delivery.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 net-mail/getmail < 4.2.0 >= 4.2.0
36
37 Description
38 ===========
39
40 David Watson discovered a vulnerability in getmail when it is
41 configured to run as root and deliver mail to the maildirs/mbox files
42 of untrusted local users. A malicious local user can then exploit a
43 race condition, or a similar symlink attack, and potentially cause
44 getmail to create or overwrite files in any directory on the system.
45
46 Impact
47 ======
48
49 An untrusted local user could potentially create or overwrite files in
50 any directory on the system. This vulnerability may also be exploited
51 to have arbitrary commands executed as root.
52
53 Workaround
54 ==========
55
56 Do not run getmail as a privileged user; or, in version 4, use an
57 external MDA with explicitly configured user and group privileges.
58
59 Resolution
60 ==========
61
62 All getmail users should upgrade to the latest version:
63
64 # emerge sync
65
66 # emerge -pv ">=net-mail/getmail-4.2.0"
67 # emerge ">=net-mail/getmail-4.2.0"
68
69 References
70 ==========
71
72 [ 1 ] getmail ChangeLog
73 http://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOG
74 [ 2 ] getmail Mailing List
75 http://article.gmane.org/gmane.mail.getmail.user/1430
76
77 Availability
78 ============
79
80 This GLSA and any updates to it are available for viewing at
81 the Gentoo Security Website:
82
83 http://security.gentoo.org/glsa/glsa-200409-32.xml
84
85 Concerns?
86 =========
87
88 Security is a primary focus of Gentoo Linux and ensuring the
89 confidentiality and security of our users machines is of utmost
90 importance to us. Any security concerns should be addressed to
91 security@g.o or alternatively, you may file a bug at
92 http://bugs.gentoo.org.
93
94 License
95 =======
96
97 Copyright 2004 Gentoo Foundation, Inc; referenced text
98 belongs to its owner(s).
99
100 The contents of this document are licensed under the
101 Creative Commons - Attribution / Share Alike license.
102
103 http://creativecommons.org/licenses/by-sa/1.0