Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

exmh security vulnerability

From: "Noel A. Davis" <noeld () TFN NET>
Date: Fri, 12 Jan 2001 18:06:54 -0500
Brent Welch <brent.welch () interwoven com> asked that this message about the
exmh symlink problem be forwarded to Bugtraq.

Thanks,

Noel

RootPrompt.org -- Nothing but Unix
News and information for Unix Sysadmins
http://rootprompt.org/
rss/rdf file:  http://www.rootprompt.org/rss/
Text Headlines:  http://www.rootprompt.org/rss/text.php3

---------- Forwarded message ----------
Date: Fri, 12 Jan 2001 11:24:38 -0800
From: Brent Welch <brent.welch () interwoven com>
To: Albert White - SUN Ireland <albert.white () ireland sun com>
Cc: exmh-users () redhat com, sans () sans org, noeld () rootprompt org
Subject: Re: exmh security vulnerability on linux.com

I have put information about the symlink attack and fixes on
http://www.beedub.com/exmh/symlink.html

Note that any user can protect themselves without applying a patch.
Exmh already has a feature that allows users to choose their own
tmp directory via the TMPDIR or EXMHTMPDIR environment variable.
Apparently the original bug reported failed to realize this simple
remedy.  However, a patch that causes exmh to pick a better directory
by default is in place and available from the above web page.  The
change is also checked into CVS.

If someone outthere is a member of BUGTRAQ, I would appreciate a posting
to their list about this fix.


Albert White - SUN Ireland said:



On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html

This bug is mentioned:

"A problem in the bug reporting system for exmh, an X-based interface for th

     e

MH mail, can cause overwriting of arbitrary system files that are writable b

     y

the user running exmhexmh encounters a problem in its code, it opens a dialo

     g

that asks the user what happened and then allows them to send a bug report t

     o

the author. If the user chooses to e-mail the bug report, exmh creates the
file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink

     ,

overwriting the file that it is linked to.

As of this time, the author has not released a patch or updated version. It

     is

recommended that the bug report feature not be used on multiuser systems unt

     il

this problem has been fixed."

I think the problem is in error.tcl around line 121:
   119  proc ExmhMailError { w errInfo } {
   120      global exmh
   121      if [catch {open [Env_Tmp]/exmhErrorMsg w} out] {
   122          Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple
   123          return
   124      }

I guess all that is needed to fix this is a check to see that the file isn't

      a

symlink before opening it. I don't know how to do that in tcl though :)

Cheers,
~Al


--==_Exmh_-536764512P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (SunOS)
Comment: Exmh version 2.2 06/23/2000

iD4DBQE6XxH3pfmE8MiMM1IRAh4AAJjoZuUKRrXwlU3NALPNXmOCY15VAJwNr82Q
H7r69/0P2qxWE66bcPUCxg==
=2+zl
-----END PGP SIGNATURE-----

--==_Exmh_-536764512P--


--      Brent Welch     <brent.welch () interwoven com>
        http://www.interwoven.com
Previous By Date Next
Previous By Thread Next

Current thread: