Debian Bug report logs - #638002
Improper seteuid() calls in src/log.c and src/masqmail.c

version graph

Package: masqmail; Maintainer for masqmail is (unknown);

Reported by: John Lightsey <lightsey@debian.org>

Date: Tue, 16 Aug 2011 13:30:02 UTC

Severity: critical

Tags: fixed-upstream, security

Found in version masqmail/0.2.21-4

Fixed in versions masqmail/0.2.30-1, masqmail/0.2.27-1.1+squeeze1

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, lightsey@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, markus schnalke <meillo@marmaro.de>:
Bug#638002; Package masqmail. (Tue, 16 Aug 2011 13:30:05 GMT) (full text, mbox, link).


Acknowledgement sent to John Lightsey <lightsey@debian.org>:
New Bug report received and forwarded. Copy sent to lightsey@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, markus schnalke <meillo@marmaro.de>. (Tue, 16 Aug 2011 13:30:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: John Lightsey <lightsey@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Improper seteuid() calls in src/log.c and src/masqmail.c
Date: Tue, 16 Aug 2011 08:27:22 -0500
Package: masqmail
Version: 0.2.21-4
Severity: critical
Tags: security
Justification: root security hole

Reporting publicly since this has already been disclosed on the masqmail list.

In src/log.c there are two logging functions that use this logic:

uid_t saved_uid;
saved_uid = seteuid(conf.mail_uid);

....write to a log file...

seteuid(saved_uid);


The first seteuid() call here isn't returning the previous EUID, it's
returning 0 on success and -1 on failure. The net result should be that
any time masqmail writes to the log, it's resetting the EUID to root.
This would undo the effect of other code in masqmail that drops root
privileges.

The most recent upstream version of masqmail (0.3.2) contains identical
code to the version I audited (Debian stable's version 0.2.27).

Per information provided by the upstream author, src/masqmail.c contains
additional code with the same type of flaw.

-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#638002; Package masqmail. (Tue, 30 Aug 2011 11:48:32 GMT) (full text, mbox, link).


Acknowledgement sent to markus schnalke <meillo@marmaro.de>:
Extra info received and forwarded to list. (Tue, 30 Aug 2011 11:48:35 GMT) (full text, mbox, link).


Message #10 received at 638002@bugs.debian.org (full text, mbox, reply):

From: markus schnalke <meillo@marmaro.de>
To: 638002@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Fixed upstream in 0.2.30
Date: Tue, 30 Aug 2011 13:47:21 +0200
tags 638002 fixed-upstream
thanks

The bug had been fixed in version 0.2.30.

The relevant changeset is:
http://hg.marmaro.de/masqmail/rev/e507c854a63e


meillo




Added tag(s) fixed-upstream. Request was from markus schnalke <meillo@marmaro.de> to control@bugs.debian.org. (Tue, 30 Aug 2011 11:49:22 GMT) (full text, mbox, link).


Reply sent to markus schnalke <meillo@marmaro.de>:
You have taken responsibility. (Tue, 13 Sep 2011 16:51:11 GMT) (full text, mbox, link).


Notification sent to John Lightsey <lightsey@debian.org>:
Bug acknowledged by developer. (Tue, 13 Sep 2011 16:51:11 GMT) (full text, mbox, link).


Message #17 received at 638002-close@bugs.debian.org (full text, mbox, reply):

From: markus schnalke <meillo@marmaro.de>
To: 638002-close@bugs.debian.org
Subject: Bug#638002: fixed in masqmail 0.2.30-1
Date: Tue, 13 Sep 2011 16:48:13 +0000
Source: masqmail
Source-Version: 0.2.30-1

We believe that the bug you reported is fixed in the latest version of
masqmail, which is due to be installed in the Debian FTP archive:

masqmail_0.2.30-1.diff.gz
  to main/m/masqmail/masqmail_0.2.30-1.diff.gz
masqmail_0.2.30-1.dsc
  to main/m/masqmail/masqmail_0.2.30-1.dsc
masqmail_0.2.30-1_amd64.deb
  to main/m/masqmail/masqmail_0.2.30-1_amd64.deb
masqmail_0.2.30.orig.tar.gz
  to main/m/masqmail/masqmail_0.2.30.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 638002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
markus schnalke <meillo@marmaro.de> (supplier of updated masqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 Aug 2011 16:37:02 +0200
Source: masqmail
Binary: masqmail
Architecture: source amd64
Version: 0.2.30-1
Distribution: unstable
Urgency: high
Maintainer: markus schnalke <meillo@marmaro.de>
Changed-By: markus schnalke <meillo@marmaro.de>
Description: 
 masqmail   - mail transport agent for intermittently connected hosts
Closes: 610067 638002
Changes: 
 masqmail (0.2.30-1) unstable; urgency=high
 .
   * New upstream release. (Closes: #638002)
   * Improved (fixed) watch file.
   * Closing information ``bug'' from previous NMU. (Closes: #610067)
   * Bumped standards version to 3.9.2.
Checksums-Sha1: 
 36980b45f7c56484fb74493c73ea04855a9973a7 1726 masqmail_0.2.30-1.dsc
 cdcde68c045ba01f2dfe98e8af958b5c9f93673a 286509 masqmail_0.2.30.orig.tar.gz
 299d1f1c211bc91da51b320ce647cf305f495e73 65530 masqmail_0.2.30-1.diff.gz
 c7c52297b881439f78eca536ecc5d3cd10d07094 201258 masqmail_0.2.30-1_amd64.deb
Checksums-Sha256: 
 438d9a06a0a4d75d38b5e847819cf177e945723e64bc56801d8beabfbd1fc70f 1726 masqmail_0.2.30-1.dsc
 78a79d7e86e1b2523ef731b295110c880932d6c187dbfc0c332b2f0aa7cbafb3 286509 masqmail_0.2.30.orig.tar.gz
 ce397f7144df7dd1b5dd617724d83334fa13544aa29445035c0c0dad7fb2c1e8 65530 masqmail_0.2.30-1.diff.gz
 a86505e5fa4a0bc3986e3de432a1e09a173f2f6ca09cb624099ee96d464a3b0d 201258 masqmail_0.2.30-1_amd64.deb
Files: 
 5c369fd8262875fbd13701299cf629f8 1726 mail extra masqmail_0.2.30-1.dsc
 93d9d0e6e0421e0f6ac3b80cab99ce70 286509 mail extra masqmail_0.2.30.orig.tar.gz
 288f134294750dda940cca010c7def24 65530 mail extra masqmail_0.2.30-1.diff.gz
 d1fa424f2dd216b238d875b7c3019255 201258 mail extra masqmail_0.2.30-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJOb4bNAAoJEOCD7BUSMcRlV7kP/iaZ7hmhVNXZ3K6JqCslGyH1
+RWsOjnxI0oXuAYTqiLynu6C1HF9C9J5UzATnjDx32qHLzdpBp6RZQbkgFjdN4o8
x3xK0vzAw74kJIqGnzTwEwBDMPGNZ0FOwRVKFLU9d+EyrcAOjsicwFaE/4VA/D/8
ihIw8ir/5TlZsIrcBoHHJvWjBaUXBedKOScGqWLh2gmAUYA9saTJ/XCe5SKJCnUm
YZbE4O1WziJKq7N7ltd4FW+L7NhcmktT/rFRzUEVbyOGbobnMMHNc6UPMJM29Nwd
X8Qt2pcwhyge6fvJZlq9Y1QbKHQIeAk5+Ba4Ups18RouotNpMOAZPUuipuTb2OlJ
vJpy/4Yl7/6gEP8O6Zf9+YxByGAJvTBnLca3EWhv9jaFkwBXuR7j7i4oi7Q0KYN1
cs/PkMZ+TLAVPuHwG9hXJOjcIV1hCEDUV05yaizfutzWJ24YUuW5NvPNc6bLYjHy
WkPf+j37NmNRrKhMQClpQkkBuabgJgaY/FXqoN02v+Y8YtS72r3U1zZxt6o4EGi4
DpPlKSFYNw28L+eGR8xcm7ZFSCeZx98ep7ols4SifJ9i/zUxjVHb1TONU4P2UDsZ
/ZwaynRvaVOgfekWviE6yqSqaxccrizK+XFDu4+VM86EHG4KdGFcPZCeirJLolYd
OhFpzvFpt3AgkYh6yU0z
=Q/Us
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, markus schnalke <meillo@marmaro.de>:
Bug#638002; Package masqmail. (Thu, 22 Sep 2011 21:42:03 GMT) (full text, mbox, link).


Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to markus schnalke <meillo@marmaro.de>. (Thu, 22 Sep 2011 21:42:04 GMT) (full text, mbox, link).


Message #22 received at 638002@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 638002@bugs.debian.org
Subject: Improper seteuid() calls in src/log.c and src/masqmail.c
Date: Thu, 22 Sep 2011 22:40:12 +0100 (BST)
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.9) 	- use target "stable"
lenny (5.0.9) 	- use target "oldstable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Sat, 17 Dec 2011 14:09:13 GMT) (full text, mbox, link).


Notification sent to John Lightsey <lightsey@debian.org>:
Bug acknowledged by developer. (Sat, 17 Dec 2011 14:09:13 GMT) (full text, mbox, link).


Message #27 received at 638002-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 638002-close@bugs.debian.org
Subject: Bug#638002: fixed in masqmail 0.2.27-1.1+squeeze1
Date: Sat, 17 Dec 2011 14:05:40 +0000
Source: masqmail
Source-Version: 0.2.27-1.1+squeeze1

We believe that the bug you reported is fixed in the latest version of
masqmail, which is due to be installed in the Debian FTP archive:

masqmail_0.2.27-1.1+squeeze1.diff.gz
  to main/m/masqmail/masqmail_0.2.27-1.1+squeeze1.diff.gz
masqmail_0.2.27-1.1+squeeze1.dsc
  to main/m/masqmail/masqmail_0.2.27-1.1+squeeze1.dsc
masqmail_0.2.27-1.1+squeeze1_amd64.deb
  to main/m/masqmail/masqmail_0.2.27-1.1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 638002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated masqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 04 Dec 2011 22:02:34 +0000
Source: masqmail
Binary: masqmail
Architecture: source amd64
Version: 0.2.27-1.1+squeeze1
Distribution: stable
Urgency: low
Maintainer: markus schnalke <meillo@marmaro.de>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 masqmail   - mail transport agent for intermittently connected hosts
Closes: 638002
Changes: 
 masqmail (0.2.27-1.1+squeeze1) stable; urgency=low
 .
   * Non-maintainer upload.
   * Fix improper seteuid() calls in src/log.c and src/masqmail.c
     (Closes: #638002)
Checksums-Sha1: 
 3ebd57b72ab829b5b9d62a158da728e0e8b1f7e1 1768 masqmail_0.2.27-1.1+squeeze1.dsc
 8d0131e589e7a7708632efabcefa9395d5a6a05b 68654 masqmail_0.2.27-1.1+squeeze1.diff.gz
 72a3179da455f22479f1454d1cb2243e6246be1b 199838 masqmail_0.2.27-1.1+squeeze1_amd64.deb
Checksums-Sha256: 
 7941948281a45260c414600b10106cac61ccec6affb260ad58a5b17e0c7ecfd2 1768 masqmail_0.2.27-1.1+squeeze1.dsc
 89fe50f91cba7241dd18dce1f0801e44d0bd60b4ae388868f8d6699f4e21699d 68654 masqmail_0.2.27-1.1+squeeze1.diff.gz
 fda35e8c6dff4eaaaf6beb14339ae68c72289cde2f697be5cadd5d185d331eed 199838 masqmail_0.2.27-1.1+squeeze1_amd64.deb
Files: 
 3986f50a210b11bf9fd4562826c2e273 1768 mail extra masqmail_0.2.27-1.1+squeeze1.dsc
 c2784a4cc84028bcd94befa12ad1cb65 68654 mail extra masqmail_0.2.27-1.1+squeeze1.diff.gz
 151c2cb980f549f6df99d45a9d1ea048 199838 mail extra masqmail_0.2.27-1.1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJO6QfrAAoJEFOUR53TUkxRHzMP+gJH2WmfbsWf3mCV1TqfN2Gv
FL4irKb+kXlzWuWXj+fFaOl7m+PuhgdOa/ltohhE02JW2P4rBKOXeCOwaJJk20px
bwSW0w7ZHc6OXul4Ev/26+w2fWEyExMzdCX+YY5/91HhGih1SCSS8+z2hu49O5aL
6OqMfQU+S39nXRhTK1aKKAcIatLecIrptfDJtpt9kGXdPIDAjdVoc6BRxaGukX4X
ejgHjSkPL40zF2X22mYBBWLAHg31HUbfAw9nyc38Pp+WSVvngB6Aq57hmM4RVNMY
/1yt0rwHbcqm+PQATx1rZ8WO2yVjt22JwJXKRUhm1ctVItOeRcgF1J/ZrW29qLdL
1xR/TZZLtzg+ax4Z5Dfn5iSCe4seOQPSRUxRQPiGoUMEtwDdq0/xATRTUiErt3+H
KoTmbboPlr7NlIwgsoZMJZ2pzyKNeeYz3/13fIMa5AKj1uPtA/M2lgkCFPr0RpPJ
xIu+gbZcZRDXeC9SQUm3i1ip1M81amS7BufX4HBW9SllKJIkCnB2ZwWXbCCxOQgc
L+c3qbw6fk4ioPLJ7Yj0geN9AGL1QdFXOeqxaSV0Zeo5khZrKWyX2Y1yn4rmOcHE
YJ43E2pJNgZ4tJx6qqsWxlFhjSBfe89azr6LqVKHHjNaoJVx43Pq3Iggb59T/3ho
ZFMLWeoOaLys8KIB66mu
=oagH
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Jan 2012 07:32:32 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 07:39:52 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.