From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1KTlY4-0002Sx-2u for garchives@archives.gentoo.org; Thu, 14 Aug 2008 22:44:04 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 277A5E01AA; Thu, 14 Aug 2008 22:42:30 +0000 (UTC) Received: from mx1.falcal.net (falco.in [88.181.30.221]) by pigeon.gentoo.org (Postfix) with ESMTP id DA236E02B9 for ; Thu, 14 Aug 2008 22:41:08 +0000 (UTC) Received: by mx1.falcal.net (Postfix, from userid 1000) id 78B5232CF07; Fri, 15 Aug 2008 00:41:07 +0200 (CEST) Date: Fri, 15 Aug 2008 00:41:07 +0200 From: Raphael Marichez To: gentoo-announce@gentoo.org Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Subject: [gentoo-announce] [ GLSA 200808-12 ] Postfix: Local privilege escalation vulnerability Message-ID: <20080814224107.GA28755@falco.falcal.net> Mail-Followup-To: gentoo-announce@gentoo.org, bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline X-Web: http://falco.bz/ X-GPG-fingerprint: 04EB 153A 6B28 3E80 87A9 9B4F A77C 4BDE 021C 5BD2 X-GPG-Key: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0x021C5BD2 Organization: Gentoo Linux Security Team User-Agent: Mutt/1.5.16 (2007-06-09) X-Archives-Salt: db084745-6ffc-454e-8642-426c5b53cdf7 X-Archives-Hash: 81401d04b3048a27393363cbd2a9e9ef --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Postfix: Local privilege escalation vulnerability Date: August 14, 2008 Bugs: #232642 ID: 200808-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Postfix incorrectly checks the ownership of a mailbox, allowing, in certain circumstances, to append data to arbitrary files on a local system with root privileges. Background ========== Postfix is Wietse Venema's mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-mta/postfix < 2.5.3-r1 *>= 2.4.7-r1 >= 2.5.3-r1 Description =========== Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937). Impact ====== The combination of these features allows a local attacker to hardlink a root-owned symlink such that the newly created symlink would be root-owned and would point to a regular file (or another symlink) that would be written by the Postfix built-in local(8) or virtual(8) delivery agents, regardless the ownership of the final destination regular file. Depending on the write permissions of the spool mail directory, the delivery style, and the existence of a root mailbox, this could allow a local attacker to append a mail to an arbitrary file like /etc/passwd in order to gain root privileges. The default configuration of Gentoo Linux does not permit any kind of user privilege escalation. The second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system. Workaround ========== The following conditions should be met in order to be vulnerable to local privilege escalation. * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory (/var/spool/mail) is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. Consequently, each one of the following workarounds is efficient. * Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership. * Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition. * Use a non-builtin Postfix delivery agent, like procmail or maildrop. * Use the maildir delivery style of Postfix ("home_mailbox=Maildir/" for example). Concerning the second vulnerability, check the write permissions of /var/spool/mail, or check that every Unix account already has a mailbox, by using Wietse Venema's Perl script available in the official advisory. Resolution ========== All Postfix users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1" References ========== [ 1 ] CVE-2008-2936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936 [ 2 ] CVE-2008-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937 [ 3 ] Official Advisory http://article.gmane.org/gmane.mail.postfix.announce/110 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-12.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJIpLSDAAoJEDvRww8BFPxFzRYH/0nE8VpzHbPXmenbZLoHPWMv 6pmbL3oEeeBvDq9yelVQvxCAteSmGh+HJr2IdDCGOEmBzKU4M41PeOYychn0ahxI h4iLwiRdy2kA8isrUPGC0VFfIKXthRMW2MVJpvrluEMae9E5e8vtf1enxwO24oh5 SeDi3fDsmV1H4FCvIj7FOblaOzt/QmcdViKqHhlxRDpOcu2dIQ2OU9nNOjoxho/d Kj7oRRiTdOW/1LBpWOvD4EirB11UJ6+Z118uw6dHHQqpJL4pHoh1su6Lwy4gGwDX 0u4xPgVg4eV2Fa1qtCqWJkDIWz79rZHxAT6nLA2XHtW84b+ra4H58WxeVXQ0/wc= =ntB2 -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND--