Date: Tue, 16 Jan 2001 08:04:34 +0100 From: Lars =?iso-8859-1?Q?K=F6ller?= <Lars.Koeller@Uni-Bielefeld.DE> To: bmah@FreeBSD.org Cc: FreeBSD-security@FreeBSD.org, FreeBSD-ports@FreeBSD.org Subject: exmh security bugfix! Message-ID: <200101160704.IAA22365@hermes.hrz.uni-bielefeld.de>
next in thread | raw e-mail | index | archive | help
This is a multipart MIME message.
--Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
--------
Hello!
As the maintainer for exmh2 on the FreeBSD ports collection I would =
inform you about an security issue just mentioned on BUGTRAQ (see =
attached Mail).
Best regards
Lars
-- =
E-Mail: Lars.Koeller@Uni-Bielefeld.DE \ Lars K=F6ller
lkoeller@FreeBSD.org \ CC University of
PGP: http://www.uk.pgp.net/pgpnet/wwwkeys.html \ Bielefeld, Germany =
Key-ID: A430D499 \ Tel: +49 521 106 4964
----------- FreeBSD, what else? ---- http://www.freebsd.org -------------=
--Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)
Content-type: MESSAGE/RFC822; name=1
Content-description: 1
Return-path: owner-bugtraq@SECURITYFOCUS.COM
Received: from lists.securityfocus.com
(lists.securityfocus.com [207.126.127.68])
by mail.uni-bielefeld.de (Sun Internet Mail Server
sims.4.0.2000.05.17.04.13.p6)
with ESMTP id <0G7700F5MV9WL9@mail.uni-bielefeld.de>; Mon,
15 Jan 2001 19:27:33 +0100 (MET)
Received: from lists.securityfocus.com
(lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com
(Postfix) with ESMTP id 3AC2624C8C7; Mon, 15 Jan 2001 08:47:13 -0800 (PST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 22992071 for
BUGTRAQ@LISTS.SECURITYFOCUS.COM; Mon, 15 Jan 2001 08:45:57 -0800
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
by lists.securityfocus.com (Postfix) with SMTP id 463A02517B0 for
<bugtraq@lists.securityfocus.com>; Fri, 12 Jan 2001 14:36:30 -0800 (PST)
Received: (qmail 26641 invoked by alias); Fri, 12 Jan 2001 22:36:33 +0000
Received: (qmail 26631 invoked from network); Fri, 12 Jan 2001 22:36:33 +0000
Received: from fn3.tfn.net (HELO fn3.freenet.tlh.fl.us) (150.176.31.250)
by mail.securityfocus.com with SMTP; Fri, 12 Jan 2001 22:36:33 +0000
Received: from localhost (noeld@localhost)
by fn3.freenet.tlh.fl.us (8.8.8/8.6.9) with ESMTP id SAA31415 for
<BUGTRAQ@SECURITYFOCUS.COM>; Fri, 12 Jan 2001 18:06:54 -0500 (EST)
Date: Fri, 12 Jan 2001 18:06:54 -0500
From: "Noel A. Davis" <noeld@TFN.NET>
Subject: exmh security vulnerability
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
X-X-Sender: <noeld@fn3.freenet.tlh.fl.us>
Approved-by: beng@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Reply-to: "Noel A. Davis" <noeld@TFN.NET>
Message-id: <Pine.OSF.4.31.0101121805010.31172-100000@fn3.freenet.tlh.fl.us>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Content-transfer-encoding: 7BIT
Delivered-to: bugtraq@lists.securityfocus.com
Delivered-to: BUGTRAQ@SECURITYFOCUS.COM
X-Authentication-warning: fn3.freenet.tlh.fl.us: noeld owned process doing -bs
Brent Welch <brent.welch@interwoven.com> asked that this message about the
exmh symlink problem be forwarded to Bugtraq.
Thanks,
Noel
RootPrompt.org -- Nothing but Unix
News and information for Unix Sysadmins
http://rootprompt.org/
rss/rdf file: http://www.rootprompt.org/rss/
Text Headlines: http://www.rootprompt.org/rss/text.php3
---------- Forwarded message ----------
Date: Fri, 12 Jan 2001 11:24:38 -0800
From: Brent Welch <brent.welch@interwoven.com>
To: Albert White - SUN Ireland <albert.white@ireland.sun.com>
Cc: exmh-users@redhat.com, sans@sans.org, noeld@rootprompt.org
Subject: Re: exmh security vulnerability on linux.com
I have put information about the symlink attack and fixes on
http://www.beedub.com/exmh/symlink.html
Note that any user can protect themselves without applying a patch.
Exmh already has a feature that allows users to choose their own
tmp directory via the TMPDIR or EXMHTMPDIR environment variable.
Apparently the original bug reported failed to realize this simple
remedy. However, a patch that causes exmh to pick a better directory
by default is in place and available from the above web page. The
change is also checked into CVS.
If someone outthere is a member of BUGTRAQ, I would appreciate a posting
to their list about this fix.
>>>Albert White - SUN Ireland said:
> On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html
>
> This bug is mentioned:
>
> "A problem in the bug reporting system for exmh, an X-based interface for th
e
> MH mail, can cause overwriting of arbitrary system files that are writable b
y
> the user running exmhexmh encounters a problem in its code, it opens a dialo
g
> that asks the user what happened and then allows them to send a bug report t
o
> the author. If the user chooses to e-mail the bug report, exmh creates the
> file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink
,
> overwriting the file that it is linked to.
>
> As of this time, the author has not released a patch or updated version. It
is
> recommended that the bug report feature not be used on multiuser systems unt
il
> this problem has been fixed."
>
> I think the problem is in error.tcl around line 121:
> 119 proc ExmhMailError { w errInfo } {
> 120 global exmh
> 121 if [catch {open [Env_Tmp]/exmhErrorMsg w} out] {
> 122 Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple
> 123 return
> 124 }
>
> I guess all that is needed to fix this is a check to see that the file isn't
a
> symlink before opening it. I don't know how to do that in tcl though :)
>
> Cheers,
> ~Al
>
>
> --==_Exmh_-536764512P
> Content-Type: application/pgp-signature
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (SunOS)
> Comment: Exmh version 2.2 06/23/2000
>
> iD4DBQE6XxH3pfmE8MiMM1IRAh4AAJjoZuUKRrXwlU3NALPNXmOCY15VAJwNr82Q
> H7r69/0P2qxWE66bcPUCxg==
> =2+zl
> -----END PGP SIGNATURE-----
>
> --==_Exmh_-536764512P--
-- Brent Welch <brent.welch@interwoven.com>
http://www.interwoven.com
--Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101160704.IAA22365>