Max Vozeler wrote:
> Short description:
> lockmail.maildrop (setgid mail) lets the user specify a program and
> execvp()s it, but does not drop egid mail privilege before doing so.
> This opens a trivial privilege escalation (see "poc") to group mail.
Thanks a lot for the report. This is CAN-2005-2655.
> The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> and should be easy to fix: Just add setgid(getgid()) before the
> execvp(). I tested the attached patch briefly and verified that it
> builds and prevents this bug.
Steve, could you take care of sid and experimental packages if Joy
is too busy?
> The bug appears to be specific to Debian, upstream doesn't
> seem to install lockmail with a setgid flag.
Oh.
Woody is not affected either.
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
