Max Vozeler wrote: > Short description: > lockmail.maildrop (setgid mail) lets the user specify a program and > execvp()s it, but does not drop egid mail privilege before doing so. > This opens a trivial privilege escalation (see "poc") to group mail.
Thanks a lot for the report. This is CAN-2005-2655. > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental, > and should be easy to fix: Just add setgid(getgid()) before the > execvp(). I tested the attached patch briefly and verified that it > builds and prevents this bug. Steve, could you take care of sid and experimental packages if Joy is too busy? > The bug appears to be specific to Debian, upstream doesn't > seem to install lockmail with a setgid flag. Oh. Woody is not affected either. Regards, Joey -- No question is too silly to ask, but, of course, some are too silly to answer. -- Perl book Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]