On 08/31/2017 11:24 AM, Dianne Skoll wrote: > Here's a patch that should apply against MIMEDefang 2.80.
Wow, that was fast, thanks. > Again, I cannot see any way to completely close this hole as long as > we're holding an fcnrtl(F_SETLCK)-style lock, since the descriptor > must be kept open. I do as much as I can to mitigate this by > destroying the variable containing the fd, but an attacker could > pretty quickly discover which fd is pointing to the lock file. You'll have to forgive the stupid question since I'm not a regular user of MIMEDefang, but what's the purpose of the file lock? Is it to prevent multiple daemons from running at the same time when they're not managed by an init system? > Since an exploit requires compromising the daemon, I would say this > is not a super-urgent problem. Agreed there, thanks again for the quick fix. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
