Your message dated Fri, 30 Jan 2009 21:17:05 +0000
with message-id <[email protected]>
and subject line Bug#506353: fixed in mailscanner 4.74.16-1
has caused the Debian Bug report #506353,
regarding CVE-2008-5312/3: mailscanner might allow local users to overwrite
arbitrary files via a symlink attack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
506353: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506353
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mailscanner
Version: 4.55.10-3
Severity: grave
Tags: security
Hi,
I have found more issues on the autoupdate scripts and other files shipped by
mailscanner than those reported in CVE-2008-5140[1].
In 4.55.10-3, grepping the files throw this:
/etc/MailScanner/autoupdate/:
> f-prot-autoupdate:$TempDir = "/var/tmp/f-prot";
> f-prot-autoupdate:$TmpFile = "tmp-web";
> clamav-autoupdate:$LogFile = "/tmp/ClamAV.update.log";
> panda-autoupdate.new:TEMPDIR="/tmp"
> trend-autoupdate.new:wget -q -O /tmp/$OPRINI $FTPSERV/opr.ini
> trend-autoupdate.new:NEWVER=`grep PatternVersionNPF /tmp/opr.ini.$$ | sed
s/^PatternVersionNPF=//g | cut -c 3-5`
> trend-autoupdate.new: wget -q -P /tmp $FTPSERV/lpt$NEWVER.zip
> trend-autoupdate.new: DATCHECK=`unzip -o -t /tmp/lpt$NEWVER.zip |
> grep "No errors"`
> trend-autoupdate.new: mv /tmp/lpt$NEWVER.zip /etc/iscan
> trend-autoupdate.new:rm -f /tmp/lpt*.zip /tmp/$OPRINI $PackageDir/*.zip
> rav-autoupdate.new:my($LockFile) = '/tmp/RavBusy.lock';
(omitting other affected files in that package version, read below)
In 4.68.8-1:
/etc/MailScanner/autoupdate/:
> f-prot-autoupdate:$TempDir = "$FProtRoot/tmp";
> f-prot-autoupdate:$TmpFile = "tmp-web";
> clamav-autoupdate:$LogFile = "/tmp/ClamAV.update.log";
> avast-autoupdate:$LogFile = "/tmp/Avast.update.log";
> f-prot-6-autoupdate:my $logfile = "/tmp/f-prot-6-update-$$";
> f-prot-6-autoupdate: unlink "/tmp/fpavdef.lock";
/etc/MailScanner/wrapper/:
> bitdefender-wrapper:LogFile=/tmp/log.bdc.$$
> kaspersky-wrapper: Report=/tmp/kavoutput.tmp.$$
> kaspersky-wrapper: Report=/tmp/kavoutput.tmp.$$
> kaspersky-wrapper: Report=/tmp/kavoutput.tmp.$$
> clamav-wrapper:TempDir="/tmp/clamav.$$"
> clamav-wrapper:if [ -x "${TempDir}" ]; then
> clamav-wrapper: rm -rf ${TempDir} >/dev/null 2>&1
> clamav-wrapper:mkdir "${TempDir}" >/dev/null 2>&1
> clamav-wrapper:trap "rm -rf ${TempDir}" EXIT
> clamav-wrapper: ExtraScanOptions="$ExtraScanOptions --tempdir=${TempDir}"
> clamav-wrapper: chown ${ClamUser}:${ClamGroup} "${TempDir}"
> clamav-wrapper:if [ -x "${TempDir}" ]; then
> clamav-wrapper: rm -rf ${TempDir}
> rav-wrapper:my $tmpdir = '/tmp';
> rav-wrapper:my $reportfile = sprintf('%s/report.vir.%s', $tmpdir, $$);
/usr/share/MailScanner/MailScanner/:
> Quarantine.pm: $testfn = MailScanner::Config::Value('lockfiledir')
> || '/tmp';
> TNEF.pm: require File::Temp;
> TNEF.pm: mkdir "/tmp/tnef.$$", 0777;
> TNEF.pm: chmod 0700, "/tmp/tnef.$$";
> TNEF.pm: output_dir => "/tmp/tnef.$$",
> TNEF.pm: system("rm -rf /tmp/tnef.$$");
> TNEF.pm: system("rm -rf /tmp/tnef.$$");
> MessageBatch.pm: my $newmessage = MailScanner::Message->new(1, '/tmp', 1);
> MessageBatch.pm: my $fh = new FileHandle(">/tmp/MSLint.body.$$");
> MessageBatch.pm: $newmessage->{store}->{dpath} = "/tmp/MSLint.body.$$";
> WorkArea.pm: $testfn = MailScanner::Config::Value('lockfiledir') ||
> '/tmp';
> WorkArea.pm: or MailScanner::Log::DieLog("Cannot create temporary Work
> Dir %s. " .
> SA.pm: # Create the $TMPDIR for SpamAssassin if necessary, then check we
> can
> SA.pm: # write to it. If not, change to /tmp.
> SA.pm: my $tmpdir = MailScanner::Config::Value('spamassassintempdir');
> SA.pm: mkdir $tmpdir;
> SA.pm: stat $tmpdir; # Is the directory writeable?
> SA.pm: $tmpdir = '/tmp' unless -d _ && -r _ && -w _ && -x _;
> SA.pm: $ENV{'TMPDIR'} = $tmpdir;
> SA.pm: MailScanner::Log::InfoLog("SpamAssassin temporary working directory
> is %s",
> SA.pm: $tmpdir);
> SA.pm: print STDERR "SpamAssassin temp dir = $tmpdir\n";
Other dirs:
> /etc/MailScanner/mailscanner.conf.with.mcp:Lockfile Dir = /tmp
> /usr/sbin/MailScanner: unlink "/tmp/MSLint.body.$$";
> /usr/sbin/MailScanner: $msg = MailScanner::Message->new('1','/tmp','fake');
I'm using severity grave as this package should definitely not be shipped in
any release as is.
A good start point to fix this mess is by checking the above mentioned files,
and then grep -riE "\bte?mp[^l]" path/to/code, and carefully review the
matches files.
Of course, not even that would guarantee that there are no left ways to
conduct symlink attacks via temporary files.
A full code audition is really needed IMHO.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5140
http://security-tracker.debian.net/tracker/CVE-2008-5140
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: mailscanner
Source-Version: 4.74.16-1
We believe that the bug you reported is fixed in the latest version of
mailscanner, which is due to be installed in the Debian FTP archive:
mailscanner_4.74.16-1.diff.gz
to pool/main/m/mailscanner/mailscanner_4.74.16-1.diff.gz
mailscanner_4.74.16-1.dsc
to pool/main/m/mailscanner/mailscanner_4.74.16-1.dsc
mailscanner_4.74.16-1_all.deb
to pool/main/m/mailscanner/mailscanner_4.74.16-1_all.deb
mailscanner_4.74.16.orig.tar.gz
to pool/main/m/mailscanner/mailscanner_4.74.16.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Walter <[email protected]> (supplier of updated mailscanner
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 20 Jan 2009 22:23:36 +0100
Source: mailscanner
Binary: mailscanner
Architecture: source all
Version: 4.74.16-1
Distribution: unstable
Urgency: low
Maintainer: Simon Walter <[email protected]>
Changed-By: Simon Walter <[email protected]>
Description:
mailscanner - email gateway for virus scanning, spam and phishing detection
Closes: 506353 512338
Changes:
mailscanner (4.74.16-1) unstable; urgency=low
.
* New upstream release (Closes: #506353)
Fixes symlink vulnerability CVE-2008-5312, CVE-2008-5313, CVE-2008-5140
* Added new description to install MailScanner with sendmail and queue aging
README.sendmail.2 thanks to Jim Barber
* Fixed patch for exim installation (Closes: #512338)
Checksums-Sha1:
0266df1dc8ff0ead4708e88f8c6dba3d0d3d67ef 1091 mailscanner_4.74.16-1.dsc
e90c17c2e288561c9bad9416b8739fe1391648a9 745831 mailscanner_4.74.16.orig.tar.gz
aaebcf31f413effd8fe49484a7499794a1751d11 41496 mailscanner_4.74.16-1.diff.gz
2e6e56947a329eb6d5cb333a289d28b924edc498 681926 mailscanner_4.74.16-1_all.deb
Checksums-Sha256:
d6eecdc7d7c064439eae7426d118565a17b0ce3ad3096fec802c9baa9c7831ce 1091
mailscanner_4.74.16-1.dsc
449f28784c8ee65d23748e1395872deb695f9065e7c27130ca594293374aa3e7 745831
mailscanner_4.74.16.orig.tar.gz
12afe0d47df1143329fb82135d710aa62cb5bde04cd0f5c0eae7264de38a8f97 41496
mailscanner_4.74.16-1.diff.gz
d1855f2cb0675f6162c88d8aeefb17d6fd3ac397ae67a723fa08f38d0dd9b3a3 681926
mailscanner_4.74.16-1_all.deb
Files:
95f1d6a1d1cda16628925630a810f382 1091 mail optional mailscanner_4.74.16-1.dsc
889a8cb5b19d0b422649df882e441f2d 745831 mail optional
mailscanner_4.74.16.orig.tar.gz
5db472897688a4871b8b6d17ed96f7d3 41496 mail optional
mailscanner_4.74.16-1.diff.gz
6a340614b4ff3fe1f9141555bae65cc6 681926 mail optional
mailscanner_4.74.16-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmDa+YACgkQ9/DnDzB9Vu0c0wCePCNd3sFhHEZgeMCaOqOPu5dU
UJoAoIis8fe2QmJke/JyEwvVliMZKc3+
=69kX
-----END PGP SIGNATURE-----
--- End Message ---
