Package: sa-exim Version: 4.2-2 Severity: important Tags: security, patch
Severity only important because it doesn't affect the default installation - feel free to change it. The /usr/share/doc/sa-exim/greylistclean.cron file has a security hole - when an email is sent from an address such as "Someone /path/to/file Somebody"@example.com and passes through the greylisting system, this leaves a file called _Someone /path/to/file [EMAIL PROTECTED] in the greylist cache directory. Running the cron program will then (after the mtime check is passed) execute the following command rm /path/to/cache/_Someone /path/to/file [EMAIL PROTECTED] which will fail to delete the cache file but *may* delete the file specified by the attacker (depending on who the cron job is being run as - which may be root) While the greylistclean.cron file is not automatically installed by the package, its installation is recommended in the readme file. A patch is attached. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.29 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages sa-exim depends on: ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy ii exim4-daemon-heavy 4.50-8 exim MTA (v4) daemon with extended ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii spamc 3.0.3-2 Client for SpamAssassin spam filte -- debconf information excluded *** greydiff --- /usr/share/doc/sa-exim/greylistclean.cron 2005-01-18 03:47:48.000000000 +0000 +++ greylistclean.cron 2005-12-28 19:17:29.000000000 +0000 @@ -12,8 +12,8 @@ # removes #echo "Greylist removes" #find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 | xargs -0 grep "Status: Greylisted" | sed "s/:Status: Greylisted//" -find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 | xargs -0 grep "Status: Greylisted" | sed "s/:Status: Greylisted//" | xargs -r rm +find /var/spool/sa-exim/tuplets/ -type f -mmin +2880 -print0 |xargs -0 grep -l 'Status: Greylisted' |perl -ne 'chomp;unlink if m(/var/spool/sa-exim/tuplets)' # Delete all entries older than 2 weeks # Uncomment these 2 lines if you want an hourly cron mail with the whitelist -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]