Linux Security
    Linux Security
    Linux Security

    Debian: New postfix packages fix privilege escalation

    Date 18 Aug 2008
    3380
    Posted By LinuxSecurity Advisories
    Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1629-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                          Thijs Kinkhorst
    August 18, 2008                       https://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : postfix
    Vulnerability  : programming error
    Problem type   : local
    Debian-specific: no
    CVE Id(s)      : CVE-2008-2936
    
    Sebastian Krahmer discovered that Postfix, a mail transfer agent,
    incorrectly checks the ownership of a mailbox. In some configurations,
    this allows for appending data to arbitrary files as root.
    
    The default Debian installation of Postfix is not affected. Only a
    configuration meeting the following requirements is vulnerable:
     * The mail delivery style is mailbox, with the Postfix built-in
       local(8) or virtual(8) delivery agents.
     * The mail spool directory is user-writeable.
     * The user can create hardlinks pointing to root-owned symlinks
       located in other directories.
    
    For a detailed treating of this issue, please refer to the upstream
    author's announcement:
    https://article.gmane.org/gmane.mail.postfix.announce/110
    
    For the stable distribution (etch), this problem has been fixed in
    version 2.3.8-2etch1.
    
    For the testing distribution (lenny), this problem has been fixed in
    version 2.5.2-2lenny1.
    
    For the unstable distribution (sid), this problem has been fixed
    in version 2.5.4-1.
    
    We recommend that you upgrade your postfix package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8.orig.tar.gz
        Size/MD5 checksum:  2787761 a6c560657788fc7a5444fa9ea32f5513
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.diff.gz
        Size/MD5 checksum:   177462 0827e61a7033e8625d92123c84b32782
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1.dsc
        Size/MD5 checksum:      907 8e9f0c462c57eb2be521714404474aca
    
    Architecture independent packages:
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-dev_2.3.8-2etch1_all.deb
        Size/MD5 checksum:   130818 5038e376db1c661eb0284f96dff4761a
      https://security.debian.org/pool/updates/main/p/postfix/postfix-doc_2.3.8-2etch1_all.deb
        Size/MD5 checksum:   785408 5db9bdc0300637afd3d508afe2c261dc
    
    alpha architecture (DEC Alpha)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_alpha.deb
        Size/MD5 checksum:  1188364 c8c7f45763ccfd74b84335ea073c551c
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_alpha.deb
        Size/MD5 checksum:    36556 fcb1c6262baed1402032c2105b83d059
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_alpha.deb
        Size/MD5 checksum:    38746 a0d1334395beda433d586b63b0d60b80
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_alpha.deb
        Size/MD5 checksum:    43408 d9e830efc4532ccddc46f394232959a6
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_alpha.deb
        Size/MD5 checksum:    38596 855c8573280d5b191a12175b2e7afe8c
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_alpha.deb
        Size/MD5 checksum:    38928 579217f55db12977c61b8d437f3ab436
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_amd64.deb
        Size/MD5 checksum:    38318 24205dd0481bb1d78684167d8d20f44f
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_amd64.deb
        Size/MD5 checksum:    38338 50a46f34f638ea42525b98ca985b4f11
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_amd64.deb
        Size/MD5 checksum:    43268 a24dd35f2ec288c2c4f674099e44385f
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_amd64.deb
        Size/MD5 checksum:  1148848 f27f053dffd95b730f1186ed37ed8673
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_amd64.deb
        Size/MD5 checksum:    38460 907b2a8d84a54cdf31ade8c201d3780a
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_amd64.deb
        Size/MD5 checksum:    36378 1ab120583bcc5873a5350d9786282eab
    
    arm architecture (ARM)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_arm.deb
        Size/MD5 checksum:    42742 2d6799c7726a3943a39939baebacdc98
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_arm.deb
        Size/MD5 checksum:    38324 6acd31d6ce0200fdd49043c99459c4c8
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_arm.deb
        Size/MD5 checksum:    38394 52628e6399391671a8512ed25739813c
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_arm.deb
        Size/MD5 checksum:    38592 1db4a21bb2c6f135e342b65317ecb897
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_arm.deb
        Size/MD5 checksum:  1080626 3e05804bf0bf7101ae3e4eec33d1524f
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_arm.deb
        Size/MD5 checksum:    36378 71361b9cd3c008a9e96e8c23866b1a80
    
    hppa architecture (HP PA RISC)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_hppa.deb
        Size/MD5 checksum:    37504 76b3b4785a5e91fc1010ce32ccee31ed
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_hppa.deb
        Size/MD5 checksum:    45296 73bc72e54d6ef6909fd3df4266061d7b
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_hppa.deb
        Size/MD5 checksum:    40138 807908ccb69444d9aa1917861dc51af9
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_hppa.deb
        Size/MD5 checksum:  1174040 44260c5be83cd1d051de22c155aee72a
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_hppa.deb
        Size/MD5 checksum:    39814 547026b4994dfbf216be7f9ee0487054
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_hppa.deb
        Size/MD5 checksum:    39624 69209a3695bb1568f8c11e6ab4bb792d
    
    i386 architecture (Intel ia32)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_i386.deb
        Size/MD5 checksum:    36514 2c10b797c15b02828b344693d4f9c597
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_i386.deb
        Size/MD5 checksum:    38680 d1beb196bcc090457a791760b5e7bdfd
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_i386.deb
        Size/MD5 checksum:    38354 d074798f79b42bd245e13b8ce0f3adef
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_i386.deb
        Size/MD5 checksum:    43160 40cc3fc2fc6374a07893321c2758a447
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_i386.deb
        Size/MD5 checksum:    38770 d97f22246f4cb6cb48e4c993ad37daac
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_i386.deb
        Size/MD5 checksum:  1092656 30352104ad6fad91f13b996483e52e5b
    
    ia64 architecture (Intel ia64)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_ia64.deb
        Size/MD5 checksum:    37958 d3628d8f8d4fa6cc760ef77e21acb468
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_ia64.deb
        Size/MD5 checksum:    40762 6c5dcb7f2d6196ddf23a8e6d7b9e5f10
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_ia64.deb
        Size/MD5 checksum:    47878 bb8188e31d1a632164d1bb5dda88a810
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_ia64.deb
        Size/MD5 checksum:  1439608 cfc2f5db48f0f6bcc8ddb3e85a4032d6
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_ia64.deb
        Size/MD5 checksum:    40766 59cd143a5727868aaae30f309286a433
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_ia64.deb
        Size/MD5 checksum:    41066 385bf68a76cd27e12e012bf535a841e0
    
    mips architecture (MIPS (Big Endian))
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_mips.deb
        Size/MD5 checksum:    38194 014b70898f5aae21a95877c4e32f9941
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_mips.deb
        Size/MD5 checksum:    36186 7c957d531808b35bd6994aeea448e213
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_mips.deb
        Size/MD5 checksum:    38188 29a16989a6414ed3722f1422f46d9cd2
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_mips.deb
        Size/MD5 checksum:    38446 0dc8cfc6f527161b8b4ce16dd8b297c6
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_mips.deb
        Size/MD5 checksum:  1129132 4e6a95c1f4040b7b24ac18ab80455d4d
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_mips.deb
        Size/MD5 checksum:    42376 af1d25a56c756443db89f6aa6a7bbb38
    
    powerpc architecture (PowerPC)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_powerpc.deb
        Size/MD5 checksum:    37738 ee3c0924d5deb0d61741c9497156c0bf
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_powerpc.deb
        Size/MD5 checksum:    44218 6ade57e38f9948016b71e6373f6f1863
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_powerpc.deb
        Size/MD5 checksum:    39670 6a6597cfb2a225d05963a149386d8fcc
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_powerpc.deb
        Size/MD5 checksum:    39774 3979adcff1c659588beb2e65c5ddb4d3
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_powerpc.deb
        Size/MD5 checksum:  1167716 45d3590893a6b4c3efc99780508f92e1
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_powerpc.deb
        Size/MD5 checksum:    39966 7acc51d59c4c640b8c4963c09c573356
    
    s390 architecture (IBM S/390)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_s390.deb
        Size/MD5 checksum:    38752 56864ace555741a8e580ac9cdad129c3
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_s390.deb
        Size/MD5 checksum:  1154368 f62e41e9b4d18eaaf76d0096370ceb1f
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_s390.deb
        Size/MD5 checksum:    36562 9deaaf037d9694a5a09f01743c687a52
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_s390.deb
        Size/MD5 checksum:    38360 6191ba334c80aa5e4dd12df40781c96d
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_s390.deb
        Size/MD5 checksum:    43310 9a73eaee5cfd0b3656976a36c256e676
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_s390.deb
        Size/MD5 checksum:    38918 570c0d157fd6b6b4102122a965d3e6f6
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pgsql_2.3.8-2etch1_sparc.deb
        Size/MD5 checksum:    38198 6ca537558089e41ebbdea7c90f2e4fd4
      https://security.debian.org/pool/updates/main/p/postfix/postfix-pcre_2.3.8-2etch1_sparc.deb
        Size/MD5 checksum:    37906 746615a2cc165a0fcb5aff5be073e289
      https://security.debian.org/pool/updates/main/p/postfix/postfix-mysql_2.3.8-2etch1_sparc.deb
        Size/MD5 checksum:    38058 ac84629509e45bf424752e4852e175e1
      https://security.debian.org/pool/updates/main/p/postfix/postfix-cdb_2.3.8-2etch1_sparc.deb
        Size/MD5 checksum:    36106 55d00480a61daa52578d69081a4e93a6
      https://security.debian.org/pool/updates/main/p/postfix/postfix_2.3.8-2etch1_sparc.deb
        Size/MD5 checksum:  1080776 87ff76ea63ba069b769b3491fac51670
      https://security.debian.org/pool/updates/main/p/postfix/postfix-ldap_2.3.8-2etch1_sparc.deb
        Size/MD5 checksum:    42910 767373c92a53b62640e69b16749f1fcc
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb https://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    

    Advisories

    LinuxSecurity Poll

    I agree with Linus Torvalds - Apple's new M1-powered laptops should run on Linux.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/45-i-agree-with-linus-torvalds-apple-s-new-m1-powered-laptops-should-run-on-linux?task=poll.vote&format=json
    45
    radio
    [{"id":"158","title":"True","votes":"13","type":"x","order":"1","pct":4.19,"resources":[]},{"id":"159","title":"False","votes":"297","type":"x","order":"2","pct":95.81,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    You have already voted for this poll.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.