You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
5.1 KiB
124 lines
5.1 KiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
|
|
<glsa id="200808-12">
|
|
<title>Postfix: Local privilege escalation vulnerability</title>
|
|
<synopsis>
|
|
Postfix incorrectly checks the ownership of a mailbox, allowing, in certain
|
|
circumstances, to append data to arbitrary files on a local system with
|
|
root privileges.
|
|
</synopsis>
|
|
<product type="ebuild">postfix</product>
|
|
<announced>2008-08-14</announced>
|
|
<revised count="02">2008-10-23</revised>
|
|
<bug>232642</bug>
|
|
<access>local</access>
|
|
<affected>
|
|
<package name="mail-mta/postfix" auto="yes" arch="*">
|
|
<unaffected range="rge">2.4.7-r1</unaffected>
|
|
<unaffected range="ge">2.5.3-r1</unaffected>
|
|
<unaffected range="rge">2.4.8</unaffected>
|
|
<unaffected range="ge">2.4.9</unaffected>
|
|
<vulnerable range="lt">2.5.3-r1</vulnerable>
|
|
</package>
|
|
</affected>
|
|
<background>
|
|
<p>
|
|
Postfix is Wietse Venema's mailer that attempts to be fast, easy to
|
|
administer, and secure, as an alternative to the widely-used Sendmail
|
|
program.
|
|
</p>
|
|
</background>
|
|
<description>
|
|
<p>
|
|
Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail
|
|
to root-owned symlinks in an insecure manner under certain conditions.
|
|
Normally, Postfix does not deliver mail to symlinks, except to
|
|
root-owned symlinks, for compatibility with the systems using symlinks
|
|
in /dev like Solaris. Furthermore, some systems like Linux allow to
|
|
hardlink a symlink, while the POSIX.1-2001 standard requires that the
|
|
symlink is followed. Depending on the write permissions and the
|
|
delivery agent being used, this can lead to an arbitrary local file
|
|
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
|
|
delivery agent does not properly verify the ownership of a mailbox
|
|
before delivering mail (CVE-2008-2937).
|
|
</p>
|
|
</description>
|
|
<impact type="high">
|
|
<p>
|
|
The combination of these features allows a local attacker to hardlink a
|
|
root-owned symlink such that the newly created symlink would be
|
|
root-owned and would point to a regular file (or another symlink) that
|
|
would be written by the Postfix built-in local(8) or virtual(8)
|
|
delivery agents, regardless the ownership of the final destination
|
|
regular file. Depending on the write permissions of the spool mail
|
|
directory, the delivery style, and the existence of a root mailbox,
|
|
this could allow a local attacker to append a mail to an arbitrary file
|
|
like /etc/passwd in order to gain root privileges.
|
|
</p>
|
|
<p>
|
|
The default configuration of Gentoo Linux does not permit any kind of
|
|
user privilege escalation.
|
|
</p>
|
|
<p>
|
|
The second vulnerability (CVE-2008-2937) allows a local attacker,
|
|
already having write permissions to the mail spool directory which is
|
|
not the case on Gentoo by default, to create a previously nonexistent
|
|
mailbox before Postfix creates it, allowing to read the mail of another
|
|
user on the system.
|
|
</p>
|
|
</impact>
|
|
<workaround>
|
|
<p>
|
|
The following conditions should be met in order to be vulnerable to
|
|
local privilege escalation.
|
|
</p>
|
|
<ul>
|
|
<li>The mail delivery style is mailbox, with the Postfix built-in
|
|
local(8) or virtual(8) delivery agents.</li>
|
|
<li>The mail spool directory (/var/spool/mail) is user-writeable.</li>
|
|
<li>The user can create hardlinks pointing to root-owned symlinks
|
|
located in other directories.</li>
|
|
</ul>
|
|
<p>
|
|
Consequently, each one of the following workarounds is efficient.
|
|
</p>
|
|
<ul>
|
|
<li>Verify that your /var/spool/mail directory is not writeable by a
|
|
user. Normally on Gentoo, only the mail group has write access, and no
|
|
end-user should be granted the mail group ownership.</li>
|
|
<li>Prevent the local users from being able to create hardlinks
|
|
pointing outside of the /var/spool/mail directory, e.g. with a
|
|
dedicated partition.</li>
|
|
<li>Use a non-builtin Postfix delivery agent, like procmail or
|
|
maildrop.</li>
|
|
<li>Use the maildir delivery style of Postfix ("home_mailbox=Maildir/"
|
|
for example).</li>
|
|
</ul>
|
|
<p>
|
|
Concerning the second vulnerability, check the write permissions of
|
|
/var/spool/mail, or check that every Unix account already has a
|
|
mailbox, by using Wietse Venema's Perl script available in the official
|
|
advisory.
|
|
</p>
|
|
</workaround>
|
|
<resolution>
|
|
<p>
|
|
All Postfix users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"</code>
|
|
</resolution>
|
|
<references>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936">CVE-2008-2936</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937">CVE-2008-2937</uri>
|
|
<uri link="https://article.gmane.org/gmane.mail.postfix.announce/110">Official Advisory</uri>
|
|
</references>
|
|
<metadata tag="submitter" timestamp="2008-08-14T13:13:26Z">
|
|
falco
|
|
</metadata>
|
|
<metadata tag="bugReady" timestamp="2008-08-14T22:37:03Z">
|
|
falco
|
|
</metadata>
|
|
</glsa>
|