Debian Bug report logs - #596397
CVE-2010-3293: local users may prevent virus signatures from being updated

version graph

Package: mailscanner; Maintainer for mailscanner is (unknown);

Reported by: Raphael Geissert <geissert@debian.org>

Date: Sat, 11 Sep 2010 00:39:04 UTC

Severity: important

Tags: security

Merged with 596398, 596399, 596400

Found in version mailscanner/4.79.11-2

Fixed in version 4.79.11-2.2+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Simon Walter <simon.walter@hp-factory.de>:
Bug#596397; Package mailscanner. (Sat, 11 Sep 2010 00:39:07 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: mailscanner: local users may prevent virus signatures from being updated
Date: Fri, 10 Sep 2010 19:36:49 -0500
Package: mailscanner
Version: 4.79.11-2
Severity: important
Tags: security

Hi,

update_virus_scanners uses /tmp/MailScanner.autoupdate.lock as lockfile and 
exits without doing anything if it is a file (not a symlink) and has recently 
been modified (according to mtime.)
This check can be potentially abused by local users to prevent the signatures 
from being updated by continuously (re-)creating and/or updating the mtime of 
that file.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




Merged 596397 596398 596399 596400. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 11 Sep 2010 16:33:09 GMT) (full text, mbox, link).


Changed Bug title to 'CVE-2010-3293: local users may prevent virus signatures from being updated' from 'mailscanner: local users may prevent virus signatures from being updated' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Thu, 16 Sep 2010 19:00:03 GMT) (full text, mbox, link).


Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 27 Feb 2011 10:36:51 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sun, 27 Feb 2011 10:36:51 GMT) (full text, mbox, link).


Message #12 received at 596397-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 303929-done@bugs.debian.org,313145-done@bugs.debian.org,353266-done@bugs.debian.org,408161-done@bugs.debian.org,410647-done@bugs.debian.org,490948-done@bugs.debian.org,506148-done@bugs.debian.org,577916-done@bugs.debian.org,583527-done@bugs.debian.org,595945-done@bugs.debian.org,596396-done@bugs.debian.org,596397-done@bugs.debian.org,596398-done@bugs.debian.org,596399-done@bugs.debian.org,596400-done@bugs.debian.org,596510-done@bugs.debian.org,596512-done@bugs.debian.org,596514-done@bugs.debian.org,597611-done@bugs.debian.org,598726-done@bugs.debian.org,605869-done@bugs.debian.org,607226-done@bugs.debian.org,607747-done@bugs.debian.org,608337-done@bugs.debian.org,
Cc: mailscanner@packages.debian.org, mailscanner@packages.qa.debian.org
Subject: Bug#531317: Removed package(s) from unstable
Date: Sun, 27 Feb 2011 10:33:46 +0000
Version: 4.79.11-2.2+rm

Dear submitter,

as the package mailscanner has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/531317

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)




Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 27 Feb 2011 10:36:52 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sun, 27 Feb 2011 10:36:52 GMT) (full text, mbox, link).


Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 27 Feb 2011 10:36:53 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sun, 27 Feb 2011 10:36:53 GMT) (full text, mbox, link).


Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 27 Feb 2011 10:36:54 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sun, 27 Feb 2011 10:36:54 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 28 Mar 2011 07:31:40 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 02:29:42 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.