Bugtraq mailing list archives
exmh security vulnerability
From: "Noel A. Davis" <noeld () TFN NET>
Date: Fri, 12 Jan 2001 18:06:54 -0500
Brent Welch <brent.welch () interwoven com> asked that this message about the exmh symlink problem be forwarded to Bugtraq. Thanks, Noel RootPrompt.org -- Nothing but Unix News and information for Unix Sysadmins http://rootprompt.org/ rss/rdf file: http://www.rootprompt.org/rss/ Text Headlines: http://www.rootprompt.org/rss/text.php3 ---------- Forwarded message ---------- Date: Fri, 12 Jan 2001 11:24:38 -0800 From: Brent Welch <brent.welch () interwoven com> To: Albert White - SUN Ireland <albert.white () ireland sun com> Cc: exmh-users () redhat com, sans () sans org, noeld () rootprompt org Subject: Re: exmh security vulnerability on linux.com I have put information about the symlink attack and fixes on http://www.beedub.com/exmh/symlink.html Note that any user can protect themselves without applying a patch. Exmh already has a feature that allows users to choose their own tmp directory via the TMPDIR or EXMHTMPDIR environment variable. Apparently the original bug reported failed to realize this simple remedy. However, a patch that causes exmh to pick a better directory by default is in place and available from the above web page. The change is also checked into CVS. If someone outthere is a member of BUGTRAQ, I would appreciate a posting to their list about this fix.
Albert White - SUN Ireland said:
On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html This bug is mentioned: "A problem in the bug reporting system for exmh, an X-based interface for th
e
MH mail, can cause overwriting of arbitrary system files that are writable b
y
the user running exmhexmh encounters a problem in its code, it opens a dialo
g
that asks the user what happened and then allows them to send a bug report t
o
the author. If the user chooses to e-mail the bug report, exmh creates the file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink
,
overwriting the file that it is linked to. As of this time, the author has not released a patch or updated version. It
is
recommended that the bug report feature not be used on multiuser systems unt
il
this problem has been fixed." I think the problem is in error.tcl around line 121: 119 proc ExmhMailError { w errInfo } { 120 global exmh 121 if [catch {open [Env_Tmp]/exmhErrorMsg w} out] { 122 Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple 123 return 124 } I guess all that is needed to fix this is a check to see that the file isn't
a
symlink before opening it. I don't know how to do that in tcl though :) Cheers, ~Al --==_Exmh_-536764512P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (SunOS) Comment: Exmh version 2.2 06/23/2000 iD4DBQE6XxH3pfmE8MiMM1IRAh4AAJjoZuUKRrXwlU3NALPNXmOCY15VAJwNr82Q H7r69/0P2qxWE66bcPUCxg== =2+zl -----END PGP SIGNATURE----- --==_Exmh_-536764512P--
-- Brent Welch <brent.welch () interwoven com> http://www.interwoven.com
Current thread:
- exmh security vulnerability Noel A. Davis (Jan 15)