From owner-freebsd-security  Mon Jan 15 23: 5:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.uni-bielefeld.de (mail2.uni-bielefeld.de [129.70.4.90])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8077137B400; Mon, 15 Jan 2001 23:04:40 -0800 (PST)
Received: from hermes.hrz.uni-bielefeld.de
 (hermes.hrz.uni-bielefeld.de [129.70.4.55])
 by mail.uni-bielefeld.de (Sun Internet Mail Server
 sims.4.0.2000.05.17.04.13.p6)
 with ESMTP id <0G78005PLUBQCW@mail.uni-bielefeld.de>; Tue,
 16 Jan 2001 08:04:38 +0100 (MET)
Received: from hermes.hrz.uni-bielefeld.de (lkoeller@localhost)
	by hermes.hrz.uni-bielefeld.de (8.8.6 (PHNE_17135)/8.8.6)
 with ESMTP id IAA22365; Tue, 16 Jan 2001 08:04:34 +0100 (MET)
Date: Tue, 16 Jan 2001 08:04:34 +0100
From: Lars =?iso-8859-1?Q?K=F6ller?= <Lars.Koeller@Uni-Bielefeld.DE>
X-Face: eCcoCV}FjV*O{6>[1$XP/e%]TJhEw2MF33dFh)^HM7Gfd=[/(4+0a$~<a~$&$fGIkE9,
 Z#ASoDTT`c'^<e2\j?vaa;_VsBAKPw(&{w\d"S&AGJkz{G^*NJtwqVIlh#'Xj+HKe8=LS_J"H0
 +nBW8e!F.S"/C[pW||0^.Sin*LOZKcR$@B&w2)I'BD_An!)ZU~$oqer\q*8h(!V9YB;k(@bp),E
 ~:aN4x.Q/we6{XZ"4t5D^?K}h~
Subject: exmh security bugfix!
To: bmah@FreeBSD.org
Cc: FreeBSD-security@FreeBSD.org, FreeBSD-ports@FreeBSD.org
Message-id: <200101160704.IAA22365@hermes.hrz.uni-bielefeld.de>
MIME-version: 1.0
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
Content-type: MULTIPART/MIXED; BOUNDARY="Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This is a multipart MIME message.

--Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable

--------

Hello!

As the maintainer for exmh2 on the FreeBSD ports collection I would =

inform you about an security issue just mentioned on BUGTRAQ (see =

attached Mail).

Best regards

Lars

-- =

E-Mail: Lars.Koeller@Uni-Bielefeld.DE        \  Lars K=F6ller
            lkoeller@FreeBSD.org              \  CC University of
PGP: http://www.uk.pgp.net/pgpnet/wwwkeys.html \  Bielefeld, Germany =

     Key-ID: A430D499                           \  Tel: +49 521 106 4964
----------- FreeBSD, what else? ---- http://www.freebsd.org -------------=



--Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)
Content-type: MESSAGE/RFC822; name=1
Content-description: 1

Return-path: owner-bugtraq@SECURITYFOCUS.COM
Received: from lists.securityfocus.com
 (lists.securityfocus.com [207.126.127.68])
 by mail.uni-bielefeld.de (Sun Internet Mail Server
 sims.4.0.2000.05.17.04.13.p6)
 with ESMTP id <0G7700F5MV9WL9@mail.uni-bielefeld.de>; Mon,
 15 Jan 2001 19:27:33 +0100 (MET)
Received: from lists.securityfocus.com
 (lists.securityfocus.com [207.126.127.68])	by lists.securityfocus.com
 (Postfix) with ESMTP	id 3AC2624C8C7; Mon, 15 Jan 2001 08:47:13 -0800 (PST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
 (LISTSERV-TCP/IP release 1.8d) with spool id 22992071 for
 BUGTRAQ@LISTS.SECURITYFOCUS.COM; Mon, 15 Jan 2001 08:45:57 -0800
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
 by lists.securityfocus.com (Postfix) with SMTP id 463A02517B0 for
 <bugtraq@lists.securityfocus.com>; Fri, 12 Jan 2001 14:36:30 -0800 (PST)
Received: (qmail 26641 invoked by alias); Fri, 12 Jan 2001 22:36:33 +0000
Received: (qmail 26631 invoked from network); Fri, 12 Jan 2001 22:36:33 +0000
Received: from fn3.tfn.net (HELO fn3.freenet.tlh.fl.us) (150.176.31.250)
 by mail.securityfocus.com with SMTP; Fri, 12 Jan 2001 22:36:33 +0000
Received: from localhost (noeld@localhost)
 by fn3.freenet.tlh.fl.us (8.8.8/8.6.9) with ESMTP id SAA31415 for
 <BUGTRAQ@SECURITYFOCUS.COM>; Fri, 12 Jan 2001 18:06:54 -0500 (EST)
Date: Fri, 12 Jan 2001 18:06:54 -0500
From: "Noel A. Davis" <noeld@TFN.NET>
Subject: exmh security vulnerability
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
X-X-Sender: <noeld@fn3.freenet.tlh.fl.us>
Approved-by: beng@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Reply-to: "Noel A. Davis" <noeld@TFN.NET>
Message-id: <Pine.OSF.4.31.0101121805010.31172-100000@fn3.freenet.tlh.fl.us>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Content-transfer-encoding: 7BIT
Delivered-to: bugtraq@lists.securityfocus.com
Delivered-to: BUGTRAQ@SECURITYFOCUS.COM
X-Authentication-warning: fn3.freenet.tlh.fl.us: noeld owned process doing -bs

Brent Welch <brent.welch@interwoven.com> asked that this message about the
exmh symlink problem be forwarded to Bugtraq.

Thanks,

Noel

RootPrompt.org -- Nothing but Unix
News and information for Unix Sysadmins
http://rootprompt.org/
rss/rdf file:  http://www.rootprompt.org/rss/
Text Headlines:  http://www.rootprompt.org/rss/text.php3

---------- Forwarded message ----------
Date: Fri, 12 Jan 2001 11:24:38 -0800
From: Brent Welch <brent.welch@interwoven.com>
To: Albert White - SUN Ireland <albert.white@ireland.sun.com>
Cc: exmh-users@redhat.com, sans@sans.org, noeld@rootprompt.org
Subject: Re: exmh security vulnerability on linux.com

I have put information about the symlink attack and fixes on
http://www.beedub.com/exmh/symlink.html

Note that any user can protect themselves without applying a patch.
Exmh already has a feature that allows users to choose their own
tmp directory via the TMPDIR or EXMHTMPDIR environment variable.
Apparently the original bug reported failed to realize this simple
remedy.  However, a patch that causes exmh to pick a better directory
by default is in place and available from the above web page.  The
change is also checked into CVS.

If someone outthere is a member of BUGTRAQ, I would appreciate a posting
to their list about this fix.

>>>Albert White - SUN Ireland said:

 > On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html
 >
 > This bug is mentioned:
 >
 > "A problem in the bug reporting system for exmh, an X-based interface for th
     e
 > MH mail, can cause overwriting of arbitrary system files that are writable b
     y
 > the user running exmhexmh encounters a problem in its code, it opens a dialo
     g
 > that asks the user what happened and then allows them to send a bug report t
     o
 > the author. If the user chooses to e-mail the bug report, exmh creates the
 > file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink
     ,
 > overwriting the file that it is linked to.
 >
 > As of this time, the author has not released a patch or updated version. It
     is
 > recommended that the bug report feature not be used on multiuser systems unt
     il
 > this problem has been fixed."
 >
 > I think the problem is in error.tcl around line 121:
 >    119  proc ExmhMailError { w errInfo } {
 >    120      global exmh
 >    121      if [catch {open [Env_Tmp]/exmhErrorMsg w} out] {
 >    122          Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple
 >    123          return
 >    124      }
 >
 > I guess all that is needed to fix this is a check to see that the file isn't
      a
 > symlink before opening it. I don't know how to do that in tcl though :)
 >
 > Cheers,
 > ~Al
 >
 >
 > --==_Exmh_-536764512P
 > Content-Type: application/pgp-signature
 >
 > -----BEGIN PGP SIGNATURE-----
 > Version: GnuPG v1.0.2 (SunOS)
 > Comment: Exmh version 2.2 06/23/2000
 >
 > iD4DBQE6XxH3pfmE8MiMM1IRAh4AAJjoZuUKRrXwlU3NALPNXmOCY15VAJwNr82Q
 > H7r69/0P2qxWE66bcPUCxg==
 > =2+zl
 > -----END PGP SIGNATURE-----
 >
 > --==_Exmh_-536764512P--

--	Brent Welch	<brent.welch@interwoven.com>
	http://www.interwoven.com

--Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message