Debian Bug report logs - #345071
sa-exim: Potential for deleting arbitrary local files by remote attack

version graph

Package: sa-exim; Maintainer for sa-exim is Magnus Holmgren <holmgren@debian.org>; Source for sa-exim is src:sa-exim (PTS, buildd, popcon).

Reported by: Chris Morris <c.i.morris@durham.ac.uk>

Date: Wed, 28 Dec 2005 19:48:01 UTC

Severity: important

Tags: patch, security

Found in version sa-exim/4.2-2

Fixed in version sa-exim/4.2.1-1

Done: Sander Smeenk <ssmeenk@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sander Smeenk <ssmeenk@debian.org>:
Bug#345071; Package sa-exim. (full text, mbox, link).


Acknowledgement sent to Chris Morris <c.i.morris@durham.ac.uk>:
New Bug report received and forwarded. Copy sent to Sander Smeenk <ssmeenk@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Morris <c.i.morris@durham.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sa-exim: Potential for deleting arbitrary local files by remote attack
Date: Wed, 28 Dec 2005 19:38:19 +0000
Package: sa-exim
Version: 4.2-2
Severity: important
Tags: security, patch


Severity only important because it doesn't affect the default
installation - feel free to change it.

The /usr/share/doc/sa-exim/greylistclean.cron file has a security hole -
when an email is sent from an address such as 
"Someone /path/to/file Somebody"@example.com
and passes through the greylisting system, this leaves a file called
_Someone /path/to/file Somebody_@example.com
in the greylist cache directory.

Running the cron program will then (after the mtime check is passed) 
execute the following command
rm /path/to/cache/_Someone /path/to/file Somebody_@example.com
which will fail to delete the cache file but *may* delete the file
specified by the attacker (depending on who the cron job is being run as
- which may be root)

While the greylistclean.cron file is not automatically installed by the
package, its installation is recommended in the readme file.

A patch is attached.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.29
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages sa-exim depends on:
ii  debconf [debconf-2.0]       1.4.30.13    Debian configuration management sy
ii  exim4-daemon-heavy          4.50-8       exim MTA (v4) daemon with extended
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  spamc                       3.0.3-2      Client for SpamAssassin spam filte

-- debconf information excluded

*** greydiff
--- /usr/share/doc/sa-exim/greylistclean.cron	2005-01-18 03:47:48.000000000 +0000
+++ greylistclean.cron	2005-12-28 19:17:29.000000000 +0000
@@ -12,8 +12,8 @@
 # removes
 #echo "Greylist removes"
 #find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 | xargs -0 grep "Status: Greylisted" | sed "s/:Status: Greylisted//" 
-find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 | xargs -0 grep "Status: Greylisted" | sed "s/:Status: Greylisted//" | xargs -r rm 
 
+find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 |xargs -0 grep -l 'Status: Greylisted' |perl -ne 'chomp;unlink if m(/var/spool/sa-exim/tuplets)'
 
 # Delete all entries older than 2 weeks
 # Uncomment these 2 lines if you want an hourly cron mail with the whitelist



Information forwarded to debian-bugs-dist@lists.debian.org, Sander Smeenk <ssmeenk@debian.org>:
Bug#345071; Package sa-exim. (full text, mbox, link).


Acknowledgement sent to Chris Morris <c.i.morris@durham.ac.uk>:
Extra info received and forwarded to list. Copy sent to Sander Smeenk <ssmeenk@debian.org>. (full text, mbox, link).


Message #10 received at 345071@bugs.debian.org (full text, mbox, reply):

From: Chris Morris <c.i.morris@durham.ac.uk>
To: 345071@bugs.debian.org
Subject: New upstream version
Date: Fri, 13 Jan 2006 11:04:48 +0000 (GMT)
A new upstream version of sa-exim (4.2.1) is now available that fixes this
bug and generally improves the greylist cleaning process.

It may also be worth considering a security announcement for sarge.

Thanks



Reply sent to Sander Smeenk <ssmeenk@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Chris Morris <c.i.morris@durham.ac.uk>:
Bug acknowledged by developer. (full text, mbox, link).


Message #15 received at 345071-close@bugs.debian.org (full text, mbox, reply):

From: Sander Smeenk <ssmeenk@debian.org>
To: 345071-close@bugs.debian.org
Subject: Bug#345071: fixed in sa-exim 4.2.1-1
Date: Wed, 22 Mar 2006 14:20:12 -0800
Source: sa-exim
Source-Version: 4.2.1-1

We believe that the bug you reported is fixed in the latest version of
sa-exim, which is due to be installed in the Debian FTP archive:

sa-exim_4.2.1-1.diff.gz
  to pool/main/s/sa-exim/sa-exim_4.2.1-1.diff.gz
sa-exim_4.2.1-1.dsc
  to pool/main/s/sa-exim/sa-exim_4.2.1-1.dsc
sa-exim_4.2.1-1_i386.deb
  to pool/main/s/sa-exim/sa-exim_4.2.1-1_i386.deb
sa-exim_4.2.1.orig.tar.gz
  to pool/main/s/sa-exim/sa-exim_4.2.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 345071@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sander Smeenk <ssmeenk@debian.org> (supplier of updated sa-exim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 09 Jan 2006 09:01:25 -0800
Source: sa-exim
Binary: sa-exim
Architecture: source i386
Version: 4.2.1-1
Distribution: unstable
Urgency: high
Maintainer: Sander Smeenk <ssmeenk@debian.org>
Changed-By: Sander Smeenk <ssmeenk@debian.org>
Description: 
 sa-exim    - Use spamAssassin at SMTP time with the Exim v4 MTA
Closes: 305890 345071
Changes: 
 sa-exim (4.2.1-1) unstable; urgency=high
 .
   * SECURITY: new upstream does a better job at being safe when deleting
     greylisting tuplets Closes: #345071
   * Fixed sa-exim.conf typo Closes: #305890
   * Disable former insecure /etc/cron.daily/greylistclean
Files: 
 c07b88bc82f13e6a1f754aec63f4002a 572 mail optional sa-exim_4.2.1-1.dsc
 5fc371b5daeed7653b5abf904503f459 66884 mail optional sa-exim_4.2.1.orig.tar.gz
 643a7ce75f29ce319b53fdef8d0be6f5 1797 mail optional sa-exim_4.2.1-1.diff.gz
 d69a7720164a2307d1ad9a70705e894d 74646 mail optional sa-exim_4.2.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIb8i1GN+QQjOyU0RAjvFAKCzoAkcnF1ConFlvTWcuUsNzvNLhACfXF9n
Hvvgjl3XR/21rSlYHgSveUE=
=v7ei
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 10:51:58 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:40:08 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.