Debian Bug report logs - #325135
maildrop: lockmail doesn't drop privileges (CAN-2005-2655)

version graph

Package: maildrop; Maintainer for maildrop is Josip Rodin <joy-packages@debian.org>; Source for maildrop is src:maildrop.

Reported by: Max Vozeler <max@decl.org>

Date: Fri, 26 Aug 2005 10:48:03 UTC

Severity: grave

Tags: patch, security

Found in version maildrop/1.5.3-1.1

Fixed in versions 1.5.3-2, maildrop/2.0.2-7

Done: Josip Rodin <joy-packages@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Max Vozeler <max@decl.org>:
New Bug report received and forwarded. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Max Vozeler <max@decl.org>
To: submit@bugs.debian.org
Subject: maildrop: lockmail doesn't drop privileges
Date: Fri, 26 Aug 2005 12:34:20 +0200
[Message part 1 (text/plain, inline)]
Package: maildrop
Version: 1.5.3-1.1
Severity: critical
Justification: local privilege escalation
Tags: security sarge sid patch

Hi Josip,

I've already tried to contact you about this, but have not heard
from you. I'm filing it now to keep track. Please refer to message
<20050602153727.GA24670@dp.roam.hinterhof.net> for full details.

Short description: 
lockmail.maildrop (setgid mail) lets the user specify a program and
execvp()s it, but does not drop egid mail privilege before doing so.
This opens a trivial privilege escalation (see "poc") to group mail.

The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
and should be easy to fix: Just add setgid(getgid()) before the
execvp(). I tested the attached patch briefly and verified that it
builds and prevents this bug.

The bug appears to be specific to Debian, upstream doesn't
seem to install lockmail with a setgid flag.

cheers,
Max
[poc (text/plain, inline)]
$ id
uid=1000(user) gid=1000(user) groups=1000(user)
$ lockmail.maildrop foo /bin/sh
$ id
uid=1000(user) gid=1000(user) egid=8(mail) groups=1000(user)
[lockmail_setgid.diff (text/plain, inline)]
--- liblock/lockmail.c~	2005-06-01 21:43:06.273749472 +0200
+++ liblock/lockmail.c	2005-06-01 21:32:04.000000000 +0200
@@ -160,6 +160,8 @@
 
 		if (pid == 0)
 		{
+			setgid(getgid());
+
 			(void)caught();
 			execvp(argvec[0], argvec);
 

Severity set to `grave'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #12 received at 325135@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Josip Rodin <joy@debian.org>
Cc: Max Vozeler <max@decl.org>, 325135@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Sat, 27 Aug 2005 12:27:51 +0200
Max Vozeler wrote:
> Short description: 
> lockmail.maildrop (setgid mail) lets the user specify a program and
> execvp()s it, but does not drop egid mail privilege before doing so.
> This opens a trivial privilege escalation (see "poc") to group mail.

Thanks a lot for the report.  This is CAN-2005-2655.

> The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> and should be easy to fix: Just add setgid(getgid()) before the
> execvp(). I tested the attached patch briefly and verified that it
> builds and prevents this bug.

Steve, could you take care of sid and experimental packages if Joy
is too busy?

> The bug appears to be specific to Debian, upstream doesn't
> seem to install lockmail with a setgid flag.

Oh.

Woody is not affected either.

Regards,

	Joey

-- 
No question is too silly to ask, but, of course, some are too silly
to answer.   -- Perl book

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #17 received at 325135@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Josip Rodin <joy@debian.org>, Max Vozeler <max@decl.org>, 325135@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Sat, 27 Aug 2005 11:42:20 +0100
On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:

> Thanks a lot for the report.  This is CAN-2005-2655.
> 
> > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > and should be easy to fix: Just add setgid(getgid()) before the
> > execvp(). I tested the attached patch briefly and verified that it
> > builds and prevents this bug.
> 
> Steve, could you take care of sid and experimental packages if Joy
> is too busy?

  Certainly.  Once the advisory is out I can make an upload if Joy
 hasn't already made one.

Steve
--



Changed Bug title. Request was from Max Vozeler <xam@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Andres Salomon <dilinger@debian.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #24 received at 325135@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@debian.org>
To: 325135@bugs.debian.org, Steve Kemp <skx@debian.org>
Cc: Martin Schulze <joey@infodrom.org>, Josip Rodin <joy@debian.org>, Max Vozeler <max@decl.org>, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Sat, 27 Aug 2005 19:03:55 -0400
[Message part 1 (text/plain, inline)]
On Sat, 2005-08-27 at 11:42 +0100, Steve Kemp wrote:
> On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:
> 
> > Thanks a lot for the report.  This is CAN-2005-2655.
> > 
> > > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > > and should be easy to fix: Just add setgid(getgid()) before the
> > > execvp(). I tested the attached patch briefly and verified that it
> > > builds and prevents this bug.
> > 
> > Steve, could you take care of sid and experimental packages if Joy
> > is too busy?
> 
>   Certainly.  Once the advisory is out I can make an upload if Joy
>  hasn't already made one.
> 

I can also do an upload; Joy already said I should comaintain, I've just
been waiting for racke to do a new courier upload so that I can actually
use maildrop (I have new maildrop packages in experimental that're just
rotting away, waiting).

Speaking of racke, has anyone checked whether courier-maildrop needs the
same patch?





Andres Salomon <dilinger@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #29 received at 325135@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Andres Salomon <dilinger@debian.org>
Cc: 325135@bugs.debian.org
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Sun, 28 Aug 2005 10:22:42 +0100
On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:

> >   Certainly.  Once the advisory is out I can make an upload if Joy
> >  hasn't already made one.
> > 
> 
> I can also do an upload; Joy already said I should comaintain, I've just
> been waiting for racke to do a new courier upload so that I can actually
> use maildrop (I have new maildrop packages in experimental that're just
> rotting away, waiting).

  I'll leave it to you then, unless you tell me differently.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #34 received at 325135@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Andres Salomon <dilinger@debian.org>
Cc: 325135@bugs.debian.org, Steve Kemp <skx@debian.org>, Max Vozeler <max@decl.org>, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Sun, 28 Aug 2005 13:00:19 +0200
Andres Salomon wrote:
> On Sat, 2005-08-27 at 11:42 +0100, Steve Kemp wrote:
> > On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:
> > 
> > > Thanks a lot for the report.  This is CAN-2005-2655.
> > > 
> > > > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > > > and should be easy to fix: Just add setgid(getgid()) before the
> > > > execvp(). I tested the attached patch briefly and verified that it
> > > > builds and prevents this bug.
> > > 
> > > Steve, could you take care of sid and experimental packages if Joy
> > > is too busy?
> > 
> >   Certainly.  Once the advisory is out I can make an upload if Joy
> >  hasn't already made one.
> > 
> 
> I can also do an upload; Joy already said I should comaintain, I've just

Please go ahead.

> been waiting for racke to do a new courier upload so that I can actually
> use maildrop (I have new maildrop packages in experimental that're just
> rotting away, waiting).
> 
> Speaking of racke, has anyone checked whether courier-maildrop needs the
> same patch?

Not before your mail.  However, it seems that the code is in the source
package, but there is no lockmail binary exposed by courier, hence, no
need to patch it as well.

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Stefan Hornburg <racke@linuxia.de>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #39 received at 325135@bugs.debian.org (full text, mbox):

From: Stefan Hornburg <racke@linuxia.de>
To: Martin Schulze <joey@infodrom.org>, 325135@bugs.debian.org
Cc: racke@linuxia.de, dilinger@debian.org, 325135@bugs.debian.org, skx@debian.org, max@decl.org, team@security.debian.org
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Sun, 28 Aug 2005 18:34:47 +0200
On Sun, 28 Aug 2005 13:00:19 +0200
Martin Schulze <joey@infodrom.org> wrote:

> Andres Salomon wrote:
> > On Sat, 2005-08-27 at 11:42 +0100, Steve Kemp wrote:
> > > On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:
> > > 
> > > > Thanks a lot for the report.  This is CAN-2005-2655.
> > > > 
> > > > > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > > > > and should be easy to fix: Just add setgid(getgid()) before the
> > > > > execvp(). I tested the attached patch briefly and verified that it
> > > > > builds and prevents this bug.
> > > > 
> > > > Steve, could you take care of sid and experimental packages if Joy
> > > > is too busy?
> > > 
> > >   Certainly.  Once the advisory is out I can make an upload if Joy
> > >  hasn't already made one.
> > > 
> > 
> > I can also do an upload; Joy already said I should comaintain, I've just
> 
> Please go ahead.
> 
> > been waiting for racke to do a new courier upload so that I can actually
> > use maildrop (I have new maildrop packages in experimental that're just
> > rotting away, waiting).
> > 
> > Speaking of racke, has anyone checked whether courier-maildrop needs the
> > same patch?
> 
> Not before your mail.  However, it seems that the code is in the source
> package, but there is no lockmail binary exposed by courier, hence, no
> need to patch it as well.

There is a lockmail in courier-mta, but it is not setuid in the sarge version.

Bye
	Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




Reply sent to Andres Salomon <dilinger@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Max Vozeler <max@decl.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 325135-close@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@debian.org>
To: 325135-close@bugs.debian.org
Subject: Bug#325135: fixed in maildrop 1.5.3-2
Date: Mon, 29 Aug 2005 11:17:03 -0700
Source: maildrop
Source-Version: 1.5.3-2

We believe that the bug you reported is fixed in the latest version of
maildrop, which is due to be installed in the Debian FTP archive:

maildrop_1.5.3-2.diff.gz
  to pool/main/m/maildrop/maildrop_1.5.3-2.diff.gz
maildrop_1.5.3-2.dsc
  to pool/main/m/maildrop/maildrop_1.5.3-2.dsc
maildrop_1.5.3-2_i386.deb
  to pool/main/m/maildrop/maildrop_1.5.3-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 325135@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilinger@debian.org> (supplier of updated maildrop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 29 Aug 2005 12:52:46 -0400
Source: maildrop
Binary: maildrop
Architecture: source i386
Version: 1.5.3-2
Distribution: unstable
Urgency: high
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Description: 
 maildrop   - mail delivery agent with filtering abilities
Closes: 265399 325135
Changes: 
 maildrop (1.5.3-2) unstable; urgency=high
 .
   * Add myself as a co-maintainer.
   * Ack NMU (closes: #265399).
   * [SECURITY] Fix privilege escalation bug, whereby one can obtain access
     to group "mail"; lockmail forgets to drop privs.  Thanks to Max Vozeler
     (CAN-2005-2655) (closes: #325135).
Files: 
 d2919d7e28bced545224fdcfa5b2134c 628 mail optional maildrop_1.5.3-2.dsc
 abe712833b112c5e208a0da6ca644014 25006 mail optional maildrop_1.5.3-2.diff.gz
 d57572d4fc10c59072ae4881ef9cdfa2 313742 mail optional maildrop_1.5.3-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDE0mG78o9R9NraMQRAoGYAJ4+OS2MxbEmGOe8fYLIZAycd9kCZQCfUiMY
+acbHo3kTubxlo4xBUcaphs=
=Yl1w
-----END PGP SIGNATURE-----




Message sent on to Max Vozeler <max@decl.org>:
Bug#325135. Full text and rfc822 format available.

Message #47 received at 325135-submitter@bugs.debian.org (full text, mbox):

From: Andres Salomon <dilinger@debian.org>
To: 325135-submitter@bugs.debian.org, Steve Kemp <skx@debian.org>
Cc: Stefan Hornburg <racke@linuxia.de>, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Mon, 29 Aug 2005 14:16:31 -0400
On Sun, 2005-08-28 at 10:22 +0100, Steve Kemp wrote:
> On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:
> 
> > >   Certainly.  Once the advisory is out I can make an upload if Joy
> > >  hasn't already made one.
> > > 
> > 
> > I can also do an upload; Joy already said I should comaintain, I've just
> > been waiting for racke to do a new courier upload so that I can actually
> > use maildrop (I have new maildrop packages in experimental that're just
> > rotting away, waiting).
> 
>   I'll leave it to you then, unless you tell me differently.
> 
> Steve

I just uploaded 1.5.3-2 for sid; Joey & co, I've prepared stable
packages (1.5.3-1.1.sarge.1) here:
http://people.debian.org/~dilinger/security/maildrop/sarge/.  


Joeyh, should I prepare something for testing?

As for experimental: Stefan, is there any chance of getting
courier-authlib 0.50 or 0.51 in sid within the next day or so?  Or do
you still feel it's too experimental for sid?




Message sent on to Max Vozeler <max@decl.org>:
Bug#325135. Full text and rfc822 format available.

Message #50 received at 325135-submitter@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Andres Salomon <dilinger@debian.org>
Cc: 325135-submitter@bugs.debian.org, Stefan Hornburg <racke@linuxia.de>, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#325135: maildrop: lockmail doesn't drop privileges
Date: Mon, 29 Aug 2005 20:34:09 +0200
Andres Salomon wrote:
> On Sun, 2005-08-28 at 10:22 +0100, Steve Kemp wrote:
> > On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:
> > 
> > > >   Certainly.  Once the advisory is out I can make an upload if Joy
> > > >  hasn't already made one.
> > > > 
> > > 
> > > I can also do an upload; Joy already said I should comaintain, I've just
> > > been waiting for racke to do a new courier upload so that I can actually
> > > use maildrop (I have new maildrop packages in experimental that're just
> > > rotting away, waiting).
> > 
> >   I'll leave it to you then, unless you tell me differently.
> > 
> > Steve
> 
> I just uploaded 1.5.3-2 for sid; Joey & co, I've prepared stable
> packages (1.5.3-1.1.sarge.1) here:
> http://people.debian.org/~dilinger/security/maildrop/sarge/.  

Thanks, but I'm working on them already.

Regards,

	Joey

-- 
Experience is something you don't get until just after you need it.



Bug reopened, originator not changed. Request was from Andres Salomon <dilinger@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sid Request was from Andres Salomon <dilinger@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: experimental Request was from Andres Salomon <dilinger@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Frank Lichtenheld <djpig@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Max Vozeler <max@decl.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #63 received at 325135-done@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 325135-done@bugs.debian.org
Subject: Let version tracking deal with it
Date: Sat, 29 Oct 2005 01:35:05 +0200
Version: 1.5.3-2

The version tracking of the BTS should note that this bug is
experimental only, this should not handled by tags anymore.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #68 received at 325135@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: 325135@bugs.debian.org, 386700@bugs.debian.org
Subject: NMU uploaded
Date: Sat, 9 Sep 2006 20:03:42 +0200
Hi,

I will uploaded an NMU of your package. This was necessary to fix the local
privilege escalation and to make sure that /etc/maildroprc has the right
owner. Please find the used diff below. This is done as part to make
maildrop available for the next release.


Cheers,
Andi

diff -Nur maildrop-2.0.2~/debian/changelog maildrop-2.0.2/debian/changelog
--- maildrop-2.0.2~/debian/changelog	2006-09-09 16:07:36.000000000 +0200
+++ maildrop-2.0.2/debian/changelog	2006-09-09 19:41:44.576131645 +0200
@@ -1,3 +1,11 @@
+maildrop (2.0.2-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix local privilege escalation, CAN-2005-2655, Closes: #325135
+  * Fix wrong owner of /etc/maildroprc. Closes: #386700
+
+ -- Andreas Barth <aba@not.so.argh.org>  Sat,  9 Sep 2006 16:15:06 +0200
+
 maildrop (2.0.2-6) unstable; urgency=medium
 
   * Documented how return_fail_output must be used instead of return_output
diff -Nur maildrop-2.0.2~/debian/patches/006-maildrop-lockmail-privs.patch maildrop-2.0.2/debian/patches/006-maildrop-lockmail-privs.patch
--- maildrop-2.0.2~/debian/patches/006-maildrop-lockmail-privs.patch	1970-01-01 01:00:00.000000000 +0100
+++ maildrop-2.0.2/debian/patches/006-maildrop-lockmail-privs.patch	2006-09-09 16:13:12.516510300 +0200
@@ -0,0 +1,11 @@
+--- a/liblock/lockmail.c	2002-09-26 14:30:40.000000000 +0200
++++ b/liblock/lockmail.c	2006-09-09 16:12:41.057080193 +0200
+@@ -160,6 +160,8 @@
+ 
+ 		if (pid == 0)
+ 		{
++			setgid(getgid());
++
+ 			(void)caught();
+ 			execvp(argvec[0], argvec);
+ 
diff -Nur maildrop-2.0.2~/debian/rules maildrop-2.0.2/debian/rules
--- maildrop-2.0.2~/debian/rules	2006-09-09 16:07:36.000000000 +0200
+++ maildrop-2.0.2/debian/rules	2006-09-09 19:47:37.483520808 +0200
@@ -22,3 +22,4 @@
 	chgrp mail $(DEB_DESTDIR)/usr/bin/maildrop $(DEB_DESTDIR)/usr/bin/lockmail.maildrop
 	chmod g+s $(DEB_DESTDIR)/usr/bin/maildrop $(DEB_DESTDIR)/usr/bin/lockmail.maildrop
 	find $(DEB_DESTDIR)/usr -type d -empty | xargs -r rmdir -p --ignore-fail-on-non-empty
+	chown root:root $(DEB_DESTDIR)/etc/maildroprc
-- 
  http://home.arcor.de/andreas-barth/



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #73 received at 325135@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@entuzijast.net>
To: Andreas Barth <aba@not.so.argh.org>, 325135@bugs.debian.org
Cc: 386700@bugs.debian.org
Subject: Re: Bug#325135: NMU uploaded
Date: Sat, 9 Sep 2006 23:10:17 +0200
On Sat, Sep 09, 2006 at 08:03:42PM +0200, Andreas Barth wrote:
> I will uploaded an NMU of your package. This was necessary to fix the local
> privilege escalation and to make sure that /etc/maildroprc has the right
> owner. Please find the used diff below.

Umm, but bug #325135 was an issue on August 29, 2005, and it was fixed by
Andres Salomon *on that same day*. The only reason it's not closed is that
none of us noticed that it's still open, AFAICT.

Besides,

> +	chown root:root $(DEB_DESTDIR)/etc/maildroprc

That's just a workaround, not actually a solution to that problem.
We need to find where in the build system is this file created so
haphazardly that it has the wrong owner.

> This is done as part to make maildrop available for the next release.

I would appreciate it if you could try to explain this rationally, instead
of instantly announcing a NMU...

-- 
     2. That which causes joy or happiness.



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #78 received at 325135@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@entuzijast.net>
To: Andreas Barth <aba@not.so.argh.org>, 325135@bugs.debian.org
Cc: 386700@bugs.debian.org
Subject: Re: Bug#325135: NMU uploaded
Date: Sat, 9 Sep 2006 23:16:00 +0200
On Sat, Sep 09, 2006 at 11:10:17PM +0200, joy wrote:
> > I will uploaded an NMU of your package. This was necessary to fix the local
> > privilege escalation and to make sure that /etc/maildroprc has the right
> > owner. Please find the used diff below.
> 
> Umm, but bug #325135 was an issue on August 29, 2005, and it was fixed by
> Andres Salomon *on that same day*. The only reason it's not closed is that
> none of us noticed that it's still open, AFAICT.

Oh, crap, no it's not. Other than uploading 1.5.2-2, Andres later uploaded
1.8.1, and apparently omitted that particular patch. I picked up on that
package, and assumed that all is well.

I'm uploading a fixed package :/

> Besides,
> 
> > +	chown root:root $(DEB_DESTDIR)/etc/maildroprc
> 
> That's just a workaround, not actually a solution to that problem.
> We need to find where in the build system is this file created so
> haphazardly that it has the wrong owner.

Apparently, this file is installed by debhelper's dh_install.
Which makes me that much more perplexed...

-- 
     2. That which causes joy or happiness.



Tags removed: experimental Request was from Josip Rodin <joy@entuzijast.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Josip Rodin <joy-packages@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Max Vozeler <max@decl.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #85 received at 325135-close@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy-packages@debian.org>
To: 325135-close@bugs.debian.org
Subject: Bug#325135: fixed in maildrop 2.0.2-7
Date: Sat, 09 Sep 2006 14:33:29 -0700
Source: maildrop
Source-Version: 2.0.2-7

We believe that the bug you reported is fixed in the latest version of
maildrop, which is due to be installed in the Debian FTP archive:

maildrop_2.0.2-7.diff.gz
  to pool/main/m/maildrop/maildrop_2.0.2-7.diff.gz
maildrop_2.0.2-7.dsc
  to pool/main/m/maildrop/maildrop_2.0.2-7.dsc
maildrop_2.0.2-7_i386.deb
  to pool/main/m/maildrop/maildrop_2.0.2-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 325135@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josip Rodin <joy-packages@debian.org> (supplier of updated maildrop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  9 Sep 2006 00:18:03 +0200
Source: maildrop
Binary: maildrop
Architecture: source i386
Version: 2.0.2-7
Distribution: unstable
Urgency: low
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Josip Rodin <joy-packages@debian.org>
Description: 
 maildrop   - mail delivery agent with filtering abilities
Closes: 325135
Changes: 
 maildrop (2.0.2-7) unstable; urgency=low
 .
   * Added 006-maildirmake-error-clarifications.patch, which clarifies
     two basic error messages in maildirmake.
   * Added *back* the patch that fixes the privilege escalation in lockmail,
     which was fixed on August 29, 2005, but reintroduced afterwards and
     survived up to now. Damn. Thanks to Andreas Barth for noticing.
     This finally closes: #325135.
Files: 
 d2bd1705e068d1a90e9005677c5e9181 673 mail optional maildrop_2.0.2-7.dsc
 641b1cfc21b4bd3daa6abd4dc6ca98fe 12125 mail optional maildrop_2.0.2-7.diff.gz
 ef477a67a296e28d44a4081e9fdbd35d 349614 mail optional maildrop_2.0.2-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFAzHPC1RHoiANFZYRAhk3AJ4tYxJKGAhiZjOJy426qxFitBEsRQCfQ9e0
iBeb0OXhbiJEl8ByegzFO4c=
=9MTL
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #90 received at 325135@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Josip Rodin <joy@entuzijast.net>, 325135@bugs.debian.org
Subject: Re: Bug#325135: NMU uploaded
Date: Sun, 10 Sep 2006 08:42:44 +0200
* Josip Rodin (joy@entuzijast.net) [060909 23:25]:
> On Sat, Sep 09, 2006 at 11:10:17PM +0200, joy wrote:
> > > I will uploaded an NMU of your package. This was necessary to fix the local
> > > privilege escalation and to make sure that /etc/maildroprc has the right
> > > owner. Please find the used diff below.
> > 
> > Umm, but bug #325135 was an issue on August 29, 2005, and it was fixed by
> > Andres Salomon *on that same day*. The only reason it's not closed is that
> > none of us noticed that it's still open, AFAICT.
> 
> Oh, crap, no it's not. Other than uploading 1.5.2-2, Andres later uploaded
> 1.8.1, and apparently omitted that particular patch. I picked up on that
> package, and assumed that all is well.
> 
> I'm uploading a fixed package :/

Thanks. However, if you could do me a favour, please also put the
CVE-number into the changelog with the next upload - that helps to find
out security issues.



Cheers,
Andi
-- 
  http://home.arcor.de/andreas-barth/



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#325135; Package maildrop. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #95 received at 325135@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@entuzijast.net>
To: Andreas Barth <aba@not.so.argh.org>
Cc: 325135@bugs.debian.org
Subject: Re: Bug#325135: NMU uploaded
Date: Sun, 10 Sep 2006 11:56:12 +0200
On Sun, Sep 10, 2006 at 08:42:44AM +0200, Andreas Barth wrote:
> > > > I will uploaded an NMU of your package. This was necessary to fix the local
> > > > privilege escalation and to make sure that /etc/maildroprc has the right
> > > > owner. Please find the used diff below.
> > > 
> > > Umm, but bug #325135 was an issue on August 29, 2005, and it was fixed by
> > > Andres Salomon *on that same day*. The only reason it's not closed is that
> > > none of us noticed that it's still open, AFAICT.
> > 
> > Oh, crap, no it's not. Other than uploading 1.5.2-2, Andres later uploaded
> > 1.8.1, and apparently omitted that particular patch. I picked up on that
> > package, and assumed that all is well.
> > 
> > I'm uploading a fixed package :/
> 
> Thanks. However, if you could do me a favour, please also put the
> CVE-number into the changelog with the next upload - that helps to find
> out security issues.

Oh, sorry about that. I re-instated the 1.5.3-2 changelog entry which
includes it, so I didn't think about the new one. In any case, the
again-vulnerable package was in unstable for just a couple of days and
in testing for one day (and counting...).

-- 
     2. That which causes joy or happiness.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 04:57:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:08:59 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.