Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Advisory: mgetty local compromise

From: Gert Doering <gert () GREENIE MUC DE>
Date: Sat, 26 Aug 2000 11:02:09 +0200
Hi,

aren't there things you *REALLY* hate?  This is one of them.

On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:

Author                 : Stan Bubrouski
Date                    : August 26, 2000
Package              : mgetty
Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
Severity               : faxrunqd follows symbolic links when creating
certain files. The default location for the files is /var/spool/fax/outgoing,
which is a world-writable directory. Local users can destroy the contents
of any file on a mounted filesystem because faxrunqd is usually run by root.

Problem              : mgetty comes with a program named faxrunqd, which is
a daemon to send fax jobs queued by faxspool(1).  Upon successful execution,
a file named .last_run is created in the /var/spool/fax/outgoing/
directory which is world-writable.  The problem lies in the fact faxrunqd
will follow symlinks created by any user, allowing file creation anywhere
and allowing existing files to be overwritten/destroyed.


First of all, this hole does NOT exist anymore in 1.1.22.  It has been
reported to me by the FreeBSD people, and closed on August 14, 2000.

1.1.22 has been released on August 17, 2000, and can be found on the usual
places (http://alpha.greenie.net/mgetty/).

So, please, get your facts right before posting.


Second, I am really annoyed to find this on bugtraq, with false data,
without any prior contact.  The fact that I just released 1.1.22 should
give you enough hint that I am still maintaining mgetty, and sending me a
quick mal "hey, is this bug still open?" would have been in order.

Also, it would have saved *you* the embarrassment to report something to
bugtraq that is already fixed.


Vendor releases might still be vulnerable (shipping old versions), but as
faxrunqd(8) isn't usually run by default, a "standard system" should NOT
be vulnerable.  *If* you run faxrunqd, though, upgrade to 1.1.22 (but
those of you that do, you know who you are...)

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert () greenie muc de
fax: +49-89-35655025                        gert.doering () physik tu-muenchen de
Previous By Date Next
Previous By Thread Next

Current thread: