Debian Bug report logs - #564601
possible problems when switching UID/GIDs in delivery mode when run as root

version graph

Package: maildrop; Maintainer for maildrop is Josip Rodin <joy-packages@debian.org>; Source for maildrop is src:maildrop.

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Sun, 10 Jan 2010 16:15:02 UTC

Severity: grave

Tags: security

Fixed in versions maildrop/2.2.0-3.1, maildrop/2.0.4-3+lenny1, maildrop/2.0.2-11+etch1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Sun, 10 Jan 2010 16:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
New Bug report received and forwarded. Copy sent to Josip Rodin <joy-packages@debian.org>. (Sun, 10 Jan 2010 16:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Sun, 10 Jan 2010 17:06:56 +0100
Package: maildrop
Justification: user security hole
Severity: grave
Tags: security

Hi.

Not sure if this actually a hole or if I just misunderstand
something,... but:

In debian /usr/bin/maildrop ist installed:
-rwxr-sr-x 1 root mail 163k Nov  9 01:11 /usr/bin/maildrop

So I'd expect that the following invocation (as root!!):
# maildrop -d vmail
results in something like the following contents of /tmp/foo:
uid=115(vmail) gid=119(vmail) groups=119(vmail),119(vmail)
when ~vmail/.mailfilter is:
`id`

Right so far?
It does however result in:
uid=115(vmail) gid=0(root) groups=119(vmail),0(root)
which can be quite security critical as it now has root-group
privileges.


Cheers,
Chris.





Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Sun, 10 Jan 2010 16:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Sun, 10 Jan 2010 16:57:03 GMT) Full text and rfc822 format available.

Message #10 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Cc: Sam Varshavchik <mrsam@courier-mta.com>
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Sun, 10 Jan 2010 17:54:04 +0100
On Sun, Jan 10, 2010 at 05:06:56PM +0100, Christoph Anton Mitterer wrote:
> Not sure if this actually a hole or if I just misunderstand
> something,... but:
> 
> In debian /usr/bin/maildrop ist installed:
> -rwxr-sr-x 1 root mail 163k Nov  9 01:11 /usr/bin/maildrop
> 
> So I'd expect that the following invocation (as root!!):
> # maildrop -d vmail
> results in something like the following contents of /tmp/foo:
> uid=115(vmail) gid=119(vmail) groups=119(vmail),119(vmail)
> when ~vmail/.mailfilter is:
> `id`
> 
> Right so far?
> It does however result in:
> uid=115(vmail) gid=0(root) groups=119(vmail),0(root)
> which can be quite security critical as it now has root-group
> privileges.

Hmm. It shouldn't have anything to do with the setgid bit, because it's
setgid to the mail group, not the root group.

I think we've had a bug report related to the supplementary groups once
before, maybe the patch somehow got lost, I'll need to check the history.
Sam?

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Sun, 10 Jan 2010 17:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Sun, 10 Jan 2010 17:36:03 GMT) Full text and rfc822 format available.

Message #15 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Sun, 10 Jan 2010 12:29:39 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Sun, Jan 10, 2010 at 05:06:56PM +0100, Christoph Anton Mitterer wrote:
>> Not sure if this actually a hole or if I just misunderstand
>> something,... but:
>> 
>> In debian /usr/bin/maildrop ist installed:
>> -rwxr-sr-x 1 root mail 163k Nov  9 01:11 /usr/bin/maildrop
>> 
>> So I'd expect that the following invocation (as root!!):
>> # maildrop -d vmail
>> results in something like the following contents of /tmp/foo:
>> uid=115(vmail) gid=119(vmail) groups=119(vmail),119(vmail)
>> when ~vmail/.mailfilter is:
>> `id`
>> 
>> Right so far?
>> It does however result in:
>> uid=115(vmail) gid=0(root) groups=119(vmail),0(root)
>> which can be quite security critical as it now has root-group
>> privileges.
> 
> Hmm. It shouldn't have anything to do with the setgid bit, because it's
> setgid to the mail group, not the root group.
> 
> I think we've had a bug report related to the supplementary groups once
> before, maybe the patch somehow got lost, I'll need to check the history.
> Sam?

This depends on the maildrop configuration, but generally setgroupid won't 
have any effect if maildrop is invoked as root, since maildrop will use the 
userid specified by the -d option to set its running group and userid 
anyway.


[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Mon, 11 Jan 2010 23:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Mon, 11 Jan 2010 23:30:03 GMT) Full text and rfc822 format available.

Message #20 received at 564601@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Josip Rodin <joy@debbugs.entuzijast.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Tue, 12 Jan 2010 00:23:14 +0100
On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
> This depends on the maildrop configuration, but generally setgroupid won't 
> have any effect if maildrop is invoked as root, since maildrop will use the 
> userid specified by the -d option to set its running group and userid 
> anyway.
Uhm... what does this mean? It definitely has root-group permissions....
(at least the Debian version) ;)


Cheers,
Chris.





Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Tue, 12 Jan 2010 02:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Tue, 12 Jan 2010 02:57:03 GMT) Full text and rfc822 format available.

Message #25 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Josip Rodin <joy@debbugs.entuzijast.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Mon, 11 Jan 2010 21:56:21 -0500
[Message part 1 (text/plain, inline)]
Christoph Anton Mitterer writes:

> On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
>> This depends on the maildrop configuration, but generally setgroupid won't 
>> have any effect if maildrop is invoked as root, since maildrop will use the 
>> userid specified by the -d option to set its running group and userid 
>> anyway.
> Uhm... what does this mean? It definitely has root-group permissions....
> (at least the Debian version) ;)

If maildrop runs as root, maildrop can set its userid and groupid, maildrop 
drops root according to the userid and groupid that's specified by the -d 
option. The group id that maildrop gets invoked as, is irrelevant as long as 
the userid is root. The root uid is sufficient for any process to change its 
gid and uid. So, when maildrop is invoked by root, its group id, whether 
natural or if set by the setgroupid bit, has no effect.


[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Tue, 12 Jan 2010 10:48:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Tue, 12 Jan 2010 10:48:15 GMT) Full text and rfc822 format available.

Message #30 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Tue, 12 Jan 2010 11:47:42 +0100
On Mon, Jan 11, 2010 at 09:56:21PM -0500, Sam Varshavchik wrote:
> Christoph Anton Mitterer writes:
>> On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
>>> This depends on the maildrop configuration, but generally setgroupid 
>>> won't have any effect if maildrop is invoked as root, since maildrop 
>>> will use the userid specified by the -d option to set its running 
>>> group and userid anyway.
>> Uhm... what does this mean? It definitely has root-group permissions....
>> (at least the Debian version) ;)
>
> If maildrop runs as root, maildrop can set its userid and groupid, 
> maildrop drops root according to the userid and groupid that's specified 
> by the -d option. The group id that maildrop gets invoked as, is 
> irrelevant as long as the userid is root. The root uid is sufficient for 
> any process to change its gid and uid. So, when maildrop is invoked by 
> root, its group id, whether natural or if set by the setgroupid bit, has 
> no effect.

I think we all agree on that. What Christoph has found, and I have
reproduced, is that it doesn't exactly turn out properly.

Can you verify? Add a simple test user, put `id` in its .mailfilter, and
see what output you get. This is with version 2.2.0.

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Tue, 12 Jan 2010 12:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Tue, 12 Jan 2010 12:24:06 GMT) Full text and rfc822 format available.

Message #35 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Tue, 12 Jan 2010 07:13:50 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Mon, Jan 11, 2010 at 09:56:21PM -0500, Sam Varshavchik wrote:
>> Christoph Anton Mitterer writes:
>>> On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
>>>> This depends on the maildrop configuration, but generally setgroupid 
>>>> won't have any effect if maildrop is invoked as root, since maildrop 
>>>> will use the userid specified by the -d option to set its running 
>>>> group and userid anyway.
>>> Uhm... what does this mean? It definitely has root-group permissions....
>>> (at least the Debian version) ;)
>>
>> If maildrop runs as root, maildrop can set its userid and groupid, 
>> maildrop drops root according to the userid and groupid that's specified 
>> by the -d option. The group id that maildrop gets invoked as, is 
>> irrelevant as long as the userid is root. The root uid is sufficient for 
>> any process to change its gid and uid. So, when maildrop is invoked by 
>> root, its group id, whether natural or if set by the setgroupid bit, has 
>> no effect.
> 
> I think we all agree on that. What Christoph has found, and I have
> reproduced, is that it doesn't exactly turn out properly.
> 
> Can you verify? Add a simple test user, put `id` in its .mailfilter, and
> see what output you get. This is with version 2.2.0.

# authtest mrsam@courier-mta.com
Authentication succeeded.

    Authenticated: mrsam@courier-mta.com  (uid 8, gid 12)
   Home Directory: /var/spool/maildir/mrsam
          Maildir: (none)
            Quota: (none)
Encrypted Password:
Cleartext Password: (none)
          Options: (none)

That's how I have my mailbox configured in courier-authlib. I get:

uid=8(mail) gid=12(mail) groups=12(mail)


[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Tue, 12 Jan 2010 15:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Tue, 12 Jan 2010 15:48:03 GMT) Full text and rfc822 format available.

Message #40 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Tue, 12 Jan 2010 16:43:59 +0100
On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
> # authtest mrsam@courier-mta.com
> Authentication succeeded.
>
>     Authenticated: mrsam@courier-mta.com  (uid 8, gid 12)
>    Home Directory: /var/spool/maildir/mrsam
>           Maildir: (none)
>             Quota: (none)
> Encrypted Password:
> Cleartext Password: (none)
>           Options: (none)
>
> That's how I have my mailbox configured in courier-authlib. I get:
>
> uid=8(mail) gid=12(mail) groups=12(mail)

Just to make sure - because I can't tell from this output - does this test
include root running "maildrop -d mail"?

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Tue, 12 Jan 2010 22:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Tue, 12 Jan 2010 22:57:08 GMT) Full text and rfc822 format available.

Message #45 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Tue, 12 Jan 2010 17:54:56 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
>> # authtest mrsam@courier-mta.com
>> Authentication succeeded.
>>
>>     Authenticated: mrsam@courier-mta.com  (uid 8, gid 12)
>>    Home Directory: /var/spool/maildir/mrsam
>>           Maildir: (none)
>>             Quota: (none)
>> Encrypted Password:
>> Cleartext Password: (none)
>>           Options: (none)
>>
>> That's how I have my mailbox configured in courier-authlib. I get:
>>
>> uid=8(mail) gid=12(mail) groups=12(mail)
> 
> Just to make sure - because I can't tell from this output - does this test
> include root running "maildrop -d mail"?

maildrop -d mrsam@courier-mta.com, in my case.



[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Tue, 12 Jan 2010 23:33:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Tue, 12 Jan 2010 23:33:12 GMT) Full text and rfc822 format available.

Message #50 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Wed, 13 Jan 2010 00:32:21 +0100
On Tue, Jan 12, 2010 at 05:54:56PM -0500, Sam Varshavchik wrote:
> Josip Rodin writes:
>> On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
>>> # authtest mrsam@courier-mta.com
>>> Authentication succeeded.
>>>
>>>     Authenticated: mrsam@courier-mta.com  (uid 8, gid 12)
>>>    Home Directory: /var/spool/maildir/mrsam
>>>           Maildir: (none)
>>>             Quota: (none)
>>> Encrypted Password:
>>> Cleartext Password: (none)
>>>           Options: (none)
>>>
>>> That's how I have my mailbox configured in courier-authlib. I get:
>>>
>>> uid=8(mail) gid=12(mail) groups=12(mail)
>>
>> Just to make sure - because I can't tell from this output - does this test
>> include root running "maildrop -d mail"?
>
> maildrop -d mrsam@courier-mta.com, in my case.

OK, but this is different behaviour from what the bug report is about?

This is what I mean:

% sudo useradd -m -d /tmp/testmaildrop testmaildrop
% id testmaildrop
uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
% sudo -u testmaildrop sh -c "echo echo \\\`id\\\` >> ~testmaildrop/.mailfilter"
% sudo -u testmaildrop sh -c "echo exit >> ~testmaildrop/.mailfilter"
% sudo maildrop -V2 -d testmaildrop < /dev/null
ERR: authdaemon: s_connect() failed: No such file or directory
maildrop: Changing to /tmp/testmaildrop
Message start at 0 bytes, envelope sender=testmaildrop
maildrop: Attempting .mailfilter
maildrop: Filtering through `id`
uid=1006(testmaildrop) gid=0(root) groups=0(root)

That's the problem. After using -d, it changes the user but not the group.
Can you reproduce that?

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Wed, 13 Jan 2010 01:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Wed, 13 Jan 2010 01:06:03 GMT) Full text and rfc822 format available.

Message #55 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Tue, 12 Jan 2010 20:02:31 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Tue, Jan 12, 2010 at 05:54:56PM -0500, Sam Varshavchik wrote:
>> Josip Rodin writes:
>>> On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
>>>> # authtest mrsam@courier-mta.com
>>>> Authentication succeeded.
>>>>
>>>>     Authenticated: mrsam@courier-mta.com  (uid 8, gid 12)
>>>>    Home Directory: /var/spool/maildir/mrsam
>>>>           Maildir: (none)
>>>>             Quota: (none)
>>>> Encrypted Password:
>>>> Cleartext Password: (none)
>>>>           Options: (none)
>>>>
>>>> That's how I have my mailbox configured in courier-authlib. I get:
>>>>
>>>> uid=8(mail) gid=12(mail) groups=12(mail)
>>>
>>> Just to make sure - because I can't tell from this output - does this test
>>> include root running "maildrop -d mail"?
>>
>> maildrop -d mrsam@courier-mta.com, in my case.
> 
> OK, but this is different behaviour from what the bug report is about?
> 
> This is what I mean:
> 
> % sudo useradd -m -d /tmp/testmaildrop testmaildrop
> % id testmaildrop
> uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
> % sudo -u testmaildrop sh -c "echo echo \\\`id\\\` >> ~testmaildrop/.mailfilter"
> % sudo -u testmaildrop sh -c "echo exit >> ~testmaildrop/.mailfilter"
> % sudo maildrop -V2 -d testmaildrop < /dev/null
> ERR: authdaemon: s_connect() failed: No such file or directory
> maildrop: Changing to /tmp/testmaildrop
> Message start at 0 bytes, envelope sender=testmaildrop
> maildrop: Attempting .mailfilter
> maildrop: Filtering through `id`
> uid=1006(testmaildrop) gid=0(root) groups=0(root)
> 
> That's the problem. After using -d, it changes the user but not the group.
> Can you reproduce that?


                               my_pw=getpwnam(deliverymode);
                               if (!my_pw)
                                       nouser();
#if     RESET_GID
                               setgroupid(my_pw→pw_gid);
#endif
                               setuid(my_pw→pw_uid);


This conditional compilation flag is set up in configure.in:

if test "`ls -ld $TDIR/. | cut -c10`" = "t"
then
       MBOX_RESET_GID=1
else
       MBOX_RESET_GID=0
fi

TDIR is /var/spool/mail. Basically, the process's group ID gets set only if 
configure finds that its sticky bit is set.

Some historical unix platforms had the sticky bit set on /var/spool/mail, 
and users' mailboxes are owned fully by the users' uid and gid. So 
/var/spool/mail has the same permission-wise semantics as /tmp.

But on modern platforms, /var/spool/mail does not have its sticky bit set. 
The directory is owned by group mail, writeable by the mail group, and each 
mailbox in /var/spool/mail is owned by the userid, and groupid mail. In this 
environment, for maildrop to be able to create a mailbox in /var/spool/mail, 
it must be run as group mail. maildrop's binary gets installed as userid 
root, group mail, setuserid and setgroupid bits set.

So, invoking maildrop gives it root privileges, and groupid mail. maildrop 
checks the -d option, changes its userid as specified, leaves the group id 
at its acquired "mail" uid, then it can create stuff in /var/spool/mail 
appropriately.

That's what it looks like is happening here, to me. The missing link in your 
situation, apparently, is maildrop binary's setgroupid bit being set.

Note, that there's extensive discussion of this in maildrop's INSTALL. 
Search for "RESET_GID" in INSTALL. The only thing I see in INSTALL that 
might need correcting is the reference to RESET_GID's default value always 
being 1; that's not true.



[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Wed, 13 Jan 2010 11:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Wed, 13 Jan 2010 11:09:03 GMT) Full text and rfc822 format available.

Message #60 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Wed, 13 Jan 2010 11:25:24 +0100
On Tue, Jan 12, 2010 at 08:02:31PM -0500, Sam Varshavchik wrote:
>> % id testmaildrop
>> uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
>> uid=1006(testmaildrop) gid=0(root) groups=0(root)
>> That's the problem. After using -d, it changes the user but not the group.
>> Can you reproduce that?
>
> So, invoking maildrop gives it root privileges, and groupid mail. 
> maildrop checks the -d option, changes its userid as specified, leaves 
> the group id at its acquired "mail" uid, then it can create stuff in 
> /var/spool/mail appropriately.
>
> That's what it looks like is happening here, to me. The missing link in 
> your situation, apparently, is maildrop binary's setgroupid bit being 
> set.

We use this by default:

% ls -l =maildrop
-rwxr-sr-x 1 root mail 162676 2008-01-20 23:23 /usr/bin/maildrop

I think we're suffering from the fact that the +s bit sets the effective
gid, but that gets ignored later. I'm not sure, but it sounds like we may
need an explicit setgid or something, to make sure we really honor the
+s bit rather than root's real gid?

% cat gid.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
       
int main(void) {

  gid_t mygid;

  mygid = getgid();
  printf("getgid returned: %d\n", mygid);
  mygid = getegid();
  printf("getegid returned: %d\n", mygid);

  setgid(getegid());

  mygid = getgid();
  printf("getgid returned: %d\n", mygid);
  mygid = getegid();
  printf("getegid returned: %d\n", mygid);

}
% gcc -o gid gid.c
% sudo chgrp mail ./gid; sudo chmod g+s ./gid
% ./gid
getgid returned: 1000
getegid returned: 8
getgid returned: 1000
getegid returned: 8
% sudo ./gid
getgid returned: 0
getegid returned: 8
getgid returned: 8
getegid returned: 8

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Wed, 13 Jan 2010 12:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Wed, 13 Jan 2010 12:15:03 GMT) Full text and rfc822 format available.

Message #65 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Wed, 13 Jan 2010 07:13:38 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Tue, Jan 12, 2010 at 08:02:31PM -0500, Sam Varshavchik wrote:
>>> % id testmaildrop
>>> uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
>>> uid=1006(testmaildrop) gid=0(root) groups=0(root)
>>> That's the problem. After using -d, it changes the user but not the group.
>>> Can you reproduce that?
>>
>> So, invoking maildrop gives it root privileges, and groupid mail. 
>> maildrop checks the -d option, changes its userid as specified, leaves 
>> the group id at its acquired "mail" uid, then it can create stuff in 
>> /var/spool/mail appropriately.
>>
>> That's what it looks like is happening here, to me. The missing link in 
>> your situation, apparently, is maildrop binary's setgroupid bit being 
>> set.
> 
> We use this by default:
> 
> % ls -l =maildrop
> -rwxr-sr-x 1 root mail 162676 2008-01-20 23:23 /usr/bin/maildrop
> 
> I think we're suffering from the fact that the +s bit sets the effective
> gid, but that gets ignored later. I'm not sure, but it sounds like we may
> need an explicit setgid or something, to make sure we really honor the
> +s bit rather than root's real gid?

Maybe, maybe not. Instead of invoking 'id' as a child process of maildrop, 
try just having maildrop deliver a test message to a new mailbox, and see 
what the ownership of the new file becomes.

There's some juggling of userid and groupid that happens as a result of 
exec(), so exec()in 'id' may itself be changing the picture. The man page 
for exec(2) says:

      The effective user ID of the process is copied to the  saved  set-user-
      ID; similarly, the effective group ID is copied to the saved set-group-
      ID.  This copying takes place after any effective ID changes that occur
      because of the set-user-ID and set-group-ID permission bits.

That does not paint 100% of the picture, but I have a dim recollection of 
having to deal with this, in a different context, elsewhere. Try the 
experiment I suggested, and see what happens.

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Wed, 13 Jan 2010 12:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Wed, 13 Jan 2010 12:27:07 GMT) Full text and rfc822 format available.

Message #70 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Wed, 13 Jan 2010 12:18:14 +0100
On Wed, Jan 13, 2010 at 07:13:38AM -0500, Sam Varshavchik wrote:
>>>> % id testmaildrop
>>>> uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
>>>> uid=1006(testmaildrop) gid=0(root) groups=0(root)
>>>> That's the problem. After using -d, it changes the user but not the group.
>>>> Can you reproduce that?
>>>
>>> So, invoking maildrop gives it root privileges, and groupid mail.  
>>> maildrop checks the -d option, changes its userid as specified, 
>>> leaves the group id at its acquired "mail" uid, then it can create 
>>> stuff in /var/spool/mail appropriately.
>>>
>>> That's what it looks like is happening here, to me. The missing link 
>>> in your situation, apparently, is maildrop binary's setgroupid bit 
>>> being set.
>>
>> We use this by default:
>>
>> % ls -l =maildrop
>> -rwxr-sr-x 1 root mail 162676 2008-01-20 23:23 /usr/bin/maildrop
>>
>> I think we're suffering from the fact that the +s bit sets the effective
>> gid, but that gets ignored later. I'm not sure, but it sounds like we may
>> need an explicit setgid or something, to make sure we really honor the
>> +s bit rather than root's real gid?
>
> Maybe, maybe not. Instead of invoking 'id' as a child process of 
> maildrop, try just having maildrop deliver a test message to a new 
> mailbox, and see what the ownership of the new file becomes.

That part is fine, it sets the group to mail on newly-created mailboxes.

But at the same time this maildrop is able to deliver mails to existing
files whose group is set to "root" and are group-writable. I created an
empty file owned by root:root mode 660 and 'maildrop -d testmaildrop'
successfully wrote to it. That side-effect is not supposed to happen.

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Thu, 14 Jan 2010 00:48:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Thu, 14 Jan 2010 00:48:08 GMT) Full text and rfc822 format available.

Message #75 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Wed, 13 Jan 2010 19:44:07 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Wed, Jan 13, 2010 at 07:13:38AM -0500, Sam Varshavchik wrote:
>> Maybe, maybe not. Instead of invoking 'id' as a child process of 
>> maildrop, try just having maildrop deliver a test message to a new 
>> mailbox, and see what the ownership of the new file becomes.
> 
> That part is fine, it sets the group to mail on newly-created mailboxes.
> 
> But at the same time this maildrop is able to deliver mails to existing
> files whose group is set to "root" and are group-writable. I created an
> empty file owned by root:root mode 660 and 'maildrop -d testmaildrop'
> successfully wrote to it. That side-effect is not supposed to happen.

Let's try the following patch. I do appreciate your help in testing it. It's 
not easy for me to test all possible permutations of distro-specific 
configurations, and platform-specific nuances, that float around.


diff -U3 -r1.58 main.C
--- maildrop/main.C	13 Jan 2010 01:32:02 -0000	1.58
+++ maildrop/main.C	14 Jan 2010 00:41:13 -0000
@@ -564,6 +564,8 @@

#if	RESET_GID
	setgroupid(getgid());
+#else
+	setgroupid(getegid());
#endif

uid_t	my_u=getuid();

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Thu, 14 Jan 2010 13:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Thu, 14 Jan 2010 13:54:06 GMT) Full text and rfc822 format available.

Message #80 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Thu, 14 Jan 2010 14:52:11 +0100
On Wed, Jan 13, 2010 at 07:44:07PM -0500, Sam Varshavchik wrote:
> Let's try the following patch. I do appreciate your help in testing it. 
> It's not easy for me to test all possible permutations of distro-specific 
> configurations, and platform-specific nuances, that float around.
>
> diff -U3 -r1.58 main.C
> --- maildrop/main.C	13 Jan 2010 01:32:02 -0000	1.58
> +++ maildrop/main.C	14 Jan 2010 00:41:13 -0000
> @@ -564,6 +564,8 @@
>
> #if	RESET_GID
> 	setgroupid(getgid());
> +#else
> +	setgroupid(getegid());
> #endif
>
> uid_t	my_u=getuid();

Sadly there's no change in behaviour of the test case. I'll try fiddling
with it some more.

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Thu, 14 Jan 2010 14:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Thu, 14 Jan 2010 14:15:06 GMT) Full text and rfc822 format available.

Message #85 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Thu, 14 Jan 2010 15:11:25 +0100
On Wed, Jan 13, 2010 at 07:44:07PM -0500, Sam Varshavchik wrote:
> Let's try the following patch. I do appreciate your help in testing it. 
> It's not easy for me to test all possible permutations of distro-specific 
> configurations, and platform-specific nuances, that float around.
>
> diff -U3 -r1.58 main.C
> --- maildrop/main.C	13 Jan 2010 01:32:02 -0000	1.58
> +++ maildrop/main.C	14 Jan 2010 00:41:13 -0000
> @@ -564,6 +564,8 @@
>
> #if	RESET_GID
> 	setgroupid(getgid());
> +#else
> +	setgroupid(getegid());
> #endif
>
> uid_t	my_u=getuid();
>

OK, it works when I put it in the first block, where it first does setuid()
because of the delivery mode. Then the subprocess gets the group mail.

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Fri, 15 Jan 2010 04:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Fri, 15 Jan 2010 04:00:03 GMT) Full text and rfc822 format available.

Message #90 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Thu, 14 Jan 2010 22:52:55 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Wed, Jan 13, 2010 at 07:44:07PM -0500, Sam Varshavchik wrote:
>> Let's try the following patch. I do appreciate your help in testing it. 
>> It's not easy for me to test all possible permutations of distro-specific 
>> configurations, and platform-specific nuances, that float around.
>>
>> diff -U3 -r1.58 main.C
>> --- maildrop/main.C	13 Jan 2010 01:32:02 -0000	1.58
>> +++ maildrop/main.C	14 Jan 2010 00:41:13 -0000
>> @@ -564,6 +564,8 @@
>>
>> #if	RESET_GID
>> 	setgroupid(getgid());
>> +#else
>> +	setgroupid(getegid());
>> #endif
>>
>> uid_t	my_u=getuid();
>>
> 
> OK, it works when I put it in the first block, where it first does setuid()
> because of the delivery mode. Then the subprocess gets the group mail.

You must be referring to the following.

After giving this another good look-over, today, I agree. Works for me.

diff -U3 -r1.58 main.C
--- maildrop/main.C	13 Jan 2010 01:32:02 -0000	1.58
+++ maildrop/main.C	15 Jan 2010 03:49:01 -0000
@@ -476,6 +476,8 @@
					nouser();
#if	RESET_GID
				setgroupid(my_pw->pw_gid);
+#else
+				setgroupid(getegid());
#endif
				setuid(my_pw->pw_uid);
				if (getuid() != my_pw->pw_uid)

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Fri, 15 Jan 2010 08:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Fri, 15 Jan 2010 08:27:03 GMT) Full text and rfc822 format available.

Message #95 received at 564601@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@debbugs.entuzijast.net>
To: Sam Varshavchik <mrsam@courier-mta.com>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Fri, 15 Jan 2010 09:22:09 +0100
On Thu, Jan 14, 2010 at 10:52:55PM -0500, Sam Varshavchik wrote:
>> OK, it works when I put it in the first block, where it first does setuid()
>> because of the delivery mode. Then the subprocess gets the group mail.
>
> You must be referring to the following.
>
> After giving this another good look-over, today, I agree. Works for me.

OK. Do we envision any other side-effects that might in turn arise from
this change? I don't know much about the Courier-integrated use cases.

-- 
     2. That which causes joy or happiness.




Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Fri, 15 Jan 2010 12:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Varshavchik <mrsam@courier-mta.com>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Fri, 15 Jan 2010 12:09:05 GMT) Full text and rfc822 format available.

Message #100 received at 564601@bugs.debian.org (full text, mbox):

From: Sam Varshavchik <mrsam@courier-mta.com>
To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 564601@bugs.debian.org
Subject: Re: Bug#564601: possible problems when switching UID/GIDs in delivery mode when run as root
Date: Fri, 15 Jan 2010 07:07:48 -0500
[Message part 1 (text/plain, inline)]
Josip Rodin writes:

> On Thu, Jan 14, 2010 at 10:52:55PM -0500, Sam Varshavchik wrote:
>>> OK, it works when I put it in the first block, where it first does setuid()
>>> because of the delivery mode. Then the subprocess gets the group mail.
>>
>> You must be referring to the following.
>>
>> After giving this another good look-over, today, I agree. Works for me.
> 
> OK. Do we envision any other side-effects that might in turn arise from
> this change? I don't know much about the Courier-integrated use cases.

Don't think so. The Courier version has RESET_GID always set, this has no 
impact on the Courier version of mailrop. For the standalone maildrop 
version, this is a fairly limited change, only effective when the default 
mailbox directory does not have the sticky bit set. The net effect is fairly 
well understood.


[Message part 2 (application/pgp-signature, inline)]

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Thu, 28 Jan 2010 19:51:13 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Thu, 28 Jan 2010 19:51:13 GMT) Full text and rfc822 format available.

Message #105 received at 564601-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 564601-close@bugs.debian.org
Subject: Bug#564601: fixed in maildrop 2.2.0-3.1
Date: Thu, 28 Jan 2010 19:47:56 +0000
Source: maildrop
Source-Version: 2.2.0-3.1

We believe that the bug you reported is fixed in the latest version of
maildrop, which is due to be installed in the Debian FTP archive:

maildrop_2.2.0-3.1.diff.gz
  to main/m/maildrop/maildrop_2.2.0-3.1.diff.gz
maildrop_2.2.0-3.1.dsc
  to main/m/maildrop/maildrop_2.2.0-3.1.dsc
maildrop_2.2.0-3.1_i386.deb
  to main/m/maildrop/maildrop_2.2.0-3.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 564601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated maildrop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 28 Jan 2010 20:24:22 +0100
Source: maildrop
Binary: maildrop
Architecture: source i386
Version: 2.2.0-3.1
Distribution: unstable
Urgency: high
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 maildrop   - mail delivery agent with filtering abilities
Closes: 564601
Changes: 
 maildrop (2.2.0-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix privilege escalation via maildrop -d which grants root group
     privileges (Closes: #564601) Thanks to Sam Varshavchik
Checksums-Sha1: 
 f2ce686042c60a93c32608717735f02bc6d60dfa 1101 maildrop_2.2.0-3.1.dsc
 39a43fcaa2f4f3d79b7c0e2c09378950178a9361 631070 maildrop_2.2.0-3.1.diff.gz
 fba21c6a89d01aee9f8aa043bd42fa79020ed5c5 367904 maildrop_2.2.0-3.1_i386.deb
Checksums-Sha256: 
 d35722c442c34b391f41a95ff76837c2f81688e13c983a5845efad8581433f14 1101 maildrop_2.2.0-3.1.dsc
 f56f279bb17182f0e5bf1b9cb2156f908da0bae1e3e0097341a7298e4c7e8bab 631070 maildrop_2.2.0-3.1.diff.gz
 b15acf5062468abd9becca55e201c20ba3550b20956e3beb973a25d3099d3835 367904 maildrop_2.2.0-3.1_i386.deb
Files: 
 5b0031829042677e03bbcab35211a7b3 1101 mail optional maildrop_2.2.0-3.1.dsc
 3db51f268a0209dfb9b28728c3189362 631070 mail optional maildrop_2.2.0-3.1.diff.gz
 f4c7f47026047b8c6e714c7eb8f325be 367904 mail optional maildrop_2.2.0-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkth5u8ACgkQ62zWxYk/rQcWtwCfetQFArCCjEiu04t6ULGWQ73g
WW4AnRywfp0YoVkl3M51vBMzIhGqx6mf
=j/Uv
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#564601; Package maildrop. (Fri, 29 Jan 2010 11:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (Fri, 29 Jan 2010 11:57:08 GMT) Full text and rfc822 format available.

Message #110 received at 564601@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 564601@bugs.debian.org
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Sam Varshavchik <mrsam@courier-mta.com>
Subject: CVE id for maildrop issue (CVE-2010-0301)
Date: Fri, 29 Jan 2010 12:51:33 +0100
[Message part 1 (text/plain, inline)]
Hi

FYI, This issue has been assigned CVE-2010-0301.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Thu, 04 Feb 2010 19:54:05 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Thu, 04 Feb 2010 19:54:05 GMT) Full text and rfc822 format available.

Message #115 received at 564601-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 564601-close@bugs.debian.org
Subject: Bug#564601: fixed in maildrop 2.0.4-3+lenny1
Date: Thu, 04 Feb 2010 19:52:49 +0000
Source: maildrop
Source-Version: 2.0.4-3+lenny1

We believe that the bug you reported is fixed in the latest version of
maildrop, which is due to be installed in the Debian FTP archive:

maildrop_2.0.4-3+lenny1.diff.gz
  to main/m/maildrop/maildrop_2.0.4-3+lenny1.diff.gz
maildrop_2.0.4-3+lenny1.dsc
  to main/m/maildrop/maildrop_2.0.4-3+lenny1.dsc
maildrop_2.0.4-3+lenny1_i386.deb
  to main/m/maildrop/maildrop_2.0.4-3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 564601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated maildrop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Jan 2010 22:55:05 +0100
Source: maildrop
Binary: maildrop
Architecture: source i386
Version: 2.0.4-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 maildrop   - mail delivery agent with filtering abilities
Closes: 564601
Changes: 
 maildrop (2.0.4-3+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix privilege escalation bug when using maildrop -d
     (Closes: #564601) Thanks to Sam Varshavchik
Checksums-Sha1: 
 393d844c1837fe560e5b156c763aff185ac06456 1137 maildrop_2.0.4-3+lenny1.dsc
 5156fd335b6740e045d85d8cbd1c5fab07467c05 3566630 maildrop_2.0.4.orig.tar.gz
 8a4eaeb1679f9167f20c5b814d43307703ebb6a0 807697 maildrop_2.0.4-3+lenny1.diff.gz
 cb4a12b9c3fa653c5d6a017641ca1efa257d5e1e 359326 maildrop_2.0.4-3+lenny1_i386.deb
Checksums-Sha256: 
 a214a8fc5dee575cc8c3834dba17615f74fde47491a51b7629e3a30fa9b47d5f 1137 maildrop_2.0.4-3+lenny1.dsc
 6950ab27650f19ec6e45c3dfc546722f38142aa3d23332436f7b9009f8be7364 3566630 maildrop_2.0.4.orig.tar.gz
 2e777f44255795da01b3d6b43f94a8448f1ea3b101591ad514665973e4d3ab06 807697 maildrop_2.0.4-3+lenny1.diff.gz
 68ad0a6ec640b1aa2735cd5afcd4776c75d172b9f937036d3ac08918b15eaed0 359326 maildrop_2.0.4-3+lenny1_i386.deb
Files: 
 fc8c7f28371afe62703db1c24103f348 1137 mail optional maildrop_2.0.4-3+lenny1.dsc
 78e6c27afe7eff9e132b8bc20087aae7 3566630 mail optional maildrop_2.0.4.orig.tar.gz
 85669f0b67c38a7e55e3f22e9431ea65 807697 mail optional maildrop_2.0.4-3+lenny1.diff.gz
 1e1b2e94312f7074321d5b11dc3524f5 359326 mail optional maildrop_2.0.4-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktgt7cACgkQ62zWxYk/rQcPWACdFH+Ba16xcqmbIlktWyIH3ayQ
ZjcAnivI86PTzS/rXeRKXDHQZ04ICl+q
=kuLq
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Tue, 23 Feb 2010 20:09:05 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Tue, 23 Feb 2010 20:09:05 GMT) Full text and rfc822 format available.

Message #120 received at 564601-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 564601-close@bugs.debian.org
Subject: Bug#564601: fixed in maildrop 2.0.2-11+etch1
Date: Tue, 23 Feb 2010 20:06:04 +0000
Source: maildrop
Source-Version: 2.0.2-11+etch1

We believe that the bug you reported is fixed in the latest version of
maildrop, which is due to be installed in the Debian FTP archive:

maildrop_2.0.2-11+etch1.diff.gz
  to main/m/maildrop/maildrop_2.0.2-11+etch1.diff.gz
maildrop_2.0.2-11+etch1.dsc
  to main/m/maildrop/maildrop_2.0.2-11+etch1.dsc
maildrop_2.0.2-11+etch1_i386.deb
  to main/m/maildrop/maildrop_2.0.2-11+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 564601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated maildrop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Jan 2010 22:07:24 +0000
Source: maildrop
Binary: maildrop
Architecture: source i386
Version: 2.0.2-11+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 maildrop   - mail delivery agent with filtering abilities
Closes: 564601
Changes: 
 maildrop (2.0.2-11+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix privilege escalation bug when using maildrop -d
     (Closes: #564601) Thanks to Sam Varshavchik
Files: 
 5d4c1da5e17a5055431958284386d2ae 736 mail optional maildrop_2.0.2-11+etch1.dsc
 d799e44aa65027a02343e5e08b97f3a0 3217622 mail optional maildrop_2.0.2.orig.tar.gz
 bbbbb2f714d5aafbca2255ae600ed4d4 13865 mail optional maildrop_2.0.2-11+etch1.diff.gz
 0a4b406123abee445305109c4915ba23 355822 mail optional maildrop_2.0.2-11+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktgvG4ACgkQ62zWxYk/rQe2pwCcDp4E5P9Pe8rMOtB/eFjMrAbr
1+cAoKPdP9pKDAkSdJD7C3Ur1m1RoMob
=FIO3
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:30:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:30:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.