Acknowledgement sent to Chris Morris <c.i.morris@durham.ac.uk>:
New Bug report received and forwarded. Copy sent to Sander Smeenk <ssmeenk@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sa-exim: Potential for deleting arbitrary local files by remote attack
Date: Wed, 28 Dec 2005 19:38:19 +0000
Package: sa-exim
Version: 4.2-2
Severity: important
Tags: security, patch
Severity only important because it doesn't affect the default
installation - feel free to change it.
The /usr/share/doc/sa-exim/greylistclean.cron file has a security hole -
when an email is sent from an address such as
"Someone /path/to/file Somebody"@example.com
and passes through the greylisting system, this leaves a file called
_Someone /path/to/file Somebody_@example.com
in the greylist cache directory.
Running the cron program will then (after the mtime check is passed)
execute the following command
rm /path/to/cache/_Someone /path/to/file Somebody_@example.com
which will fail to delete the cache file but *may* delete the file
specified by the attacker (depending on who the cron job is being run as
- which may be root)
While the greylistclean.cron file is not automatically installed by the
package, its installation is recommended in the readme file.
A patch is attached.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.29
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages sa-exim depends on:
ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy
ii exim4-daemon-heavy 4.50-8 exim MTA (v4) daemon with extended
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii spamc 3.0.3-2 Client for SpamAssassin spam filte
-- debconf information excluded
*** greydiff
--- /usr/share/doc/sa-exim/greylistclean.cron 2005-01-18 03:47:48.000000000 +0000
+++ greylistclean.cron 2005-12-28 19:17:29.000000000 +0000
@@ -12,8 +12,8 @@
# removes
#echo "Greylist removes"
#find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 | xargs -0 grep "Status: Greylisted" | sed "s/:Status: Greylisted//"
-find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 | xargs -0 grep "Status: Greylisted" | sed "s/:Status: Greylisted//" | xargs -r rm
+find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 |xargs -0 grep -l 'Status: Greylisted' |perl -ne 'chomp;unlink if m(/var/spool/sa-exim/tuplets)'
# Delete all entries older than 2 weeks
# Uncomment these 2 lines if you want an hourly cron mail with the whitelist
Information forwarded to debian-bugs-dist@lists.debian.org, Sander Smeenk <ssmeenk@debian.org>: Bug#345071; Package sa-exim.
(full text, mbox, link).
Acknowledgement sent to Chris Morris <c.i.morris@durham.ac.uk>:
Extra info received and forwarded to list. Copy sent to Sander Smeenk <ssmeenk@debian.org>.
(full text, mbox, link).
A new upstream version of sa-exim (4.2.1) is now available that fixes this
bug and generally improves the greylist cleaning process.
It may also be worth considering a security announcement for sarge.
Thanks
Reply sent to Sander Smeenk <ssmeenk@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Chris Morris <c.i.morris@durham.ac.uk>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: sa-exim
Source-Version: 4.2.1-1
We believe that the bug you reported is fixed in the latest version of
sa-exim, which is due to be installed in the Debian FTP archive:
sa-exim_4.2.1-1.diff.gz
to pool/main/s/sa-exim/sa-exim_4.2.1-1.diff.gz
sa-exim_4.2.1-1.dsc
to pool/main/s/sa-exim/sa-exim_4.2.1-1.dsc
sa-exim_4.2.1-1_i386.deb
to pool/main/s/sa-exim/sa-exim_4.2.1-1_i386.deb
sa-exim_4.2.1.orig.tar.gz
to pool/main/s/sa-exim/sa-exim_4.2.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 345071@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sander Smeenk <ssmeenk@debian.org> (supplier of updated sa-exim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 09 Jan 2006 09:01:25 -0800
Source: sa-exim
Binary: sa-exim
Architecture: source i386
Version: 4.2.1-1
Distribution: unstable
Urgency: high
Maintainer: Sander Smeenk <ssmeenk@debian.org>
Changed-By: Sander Smeenk <ssmeenk@debian.org>
Description:
sa-exim - Use spamAssassin at SMTP time with the Exim v4 MTA
Closes: 305890345071
Changes:
sa-exim (4.2.1-1) unstable; urgency=high
.
* SECURITY: new upstream does a better job at being safe when deleting
greylisting tuplets Closes: #345071
* Fixed sa-exim.conf typo Closes: #305890
* Disable former insecure /etc/cron.daily/greylistclean
Files:
c07b88bc82f13e6a1f754aec63f4002a 572 mail optional sa-exim_4.2.1-1.dsc
5fc371b5daeed7653b5abf904503f459 66884 mail optional sa-exim_4.2.1.orig.tar.gz
643a7ce75f29ce319b53fdef8d0be6f5 1797 mail optional sa-exim_4.2.1-1.diff.gz
d69a7720164a2307d1ad9a70705e894d 74646 mail optional sa-exim_4.2.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEIb8i1GN+QQjOyU0RAjvFAKCzoAkcnF1ConFlvTWcuUsNzvNLhACfXF9n
Hvvgjl3XR/21rSlYHgSveUE=
=v7ei
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 10:51:58 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.