5959538 2001-01-12 18:06 -0500 /97 rader/ Noel A. Davis <noeld@TFN.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-15 20:56 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: noeld@TFN.NET
Mottagare: Bugtraq (import) <14813>
Ärende: exmh security vulnerability
------------------------------------------------------------
From: "Noel A. Davis" <noeld@TFN.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.OSF.4.31.0101121805010.31172-100000@fn3.freenet.tlh.fl.us>
Brent Welch <brent.welch@interwoven.com> asked that this message
about the exmh symlink problem be forwarded to Bugtraq.
Thanks,
Noel
RootPrompt.org -- Nothing but Unix
News and information for Unix Sysadmins
http://rootprompt.org/
rss/rdf file: http://www.rootprompt.org/rss/
Text Headlines: http://www.rootprompt.org/rss/text.php3
---------- Forwarded message ----------
Date: Fri, 12 Jan 2001 11:24:38 -0800
From: Brent Welch <brent.welch@interwoven.com>
To: Albert White - SUN Ireland <albert.white@ireland.sun.com>
Cc: exmh-users@redhat.com, sans@sans.org, noeld@rootprompt.org
Subject: Re: exmh security vulnerability on linux.com
I have put information about the symlink attack and fixes on
http://www.beedub.com/exmh/symlink.html
Note that any user can protect themselves without applying a patch.
Exmh already has a feature that allows users to choose their own
tmp directory via the TMPDIR or EXMHTMPDIR environment variable.
Apparently the original bug reported failed to realize this simple
remedy. However, a patch that causes exmh to pick a better directory
by default is in place and available from the above web page. The
change is also checked into CVS.
If someone outthere is a member of BUGTRAQ, I would appreciate a
posting to their list about this fix.
>>>Albert White - SUN Ireland said:
> On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html
>
> This bug is mentioned:
>
> "A problem in the bug reporting system for exmh, an X-based interface for th
e
> MH mail, can cause overwriting of arbitrary system files that are writable b
y
> the user running exmhexmh encounters a problem in its code, it opens a dialo
g
> that asks the user what happened and then allows them to send a bug report t
o
> the author. If the user chooses to e-mail the bug report, exmh creates the
> file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink
,
> overwriting the file that it is linked to.
>
> As of this time, the author has not released a patch or updated version. It
is
> recommended that the bug report feature not be used on multiuser systems unt
il
> this problem has been fixed."
>
> I think the problem is in error.tcl around line 121:
> 119 proc ExmhMailError { w errInfo } {
> 120 global exmh
> 121 if [catch {open [Env_Tmp]/exmhErrorMsg w} out] {
> 122 Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple
> 123 return
> 124 }
>
> I guess all that is needed to fix this is a check to see that the file isn't
a
> symlink before opening it. I don't know how to do that in tcl though :)
>
> Cheers,
> ~Al
>
>
> --==_Exmh_-536764512P
> Content-Type: application/pgp-signature
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (SunOS)
> Comment: Exmh version 2.2 06/23/2000
>
> iD4DBQE6XxH3pfmE8MiMM1IRAh4AAJjoZuUKRrXwlU3NALPNXmOCY15VAJwNr82Q
> H7r69/0P2qxWE66bcPUCxg==
> =2+zl
> -----END PGP SIGNATURE-----
>
> --==_Exmh_-536764512P--
-- Brent Welch <brent.welch@interwoven.com>
http://www.interwoven.com
(5959538) --------------------------------(Ombruten)