- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200808-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Postfix: Local privilege escalation vulnerability
      Date: August 14, 2008
      Bugs: #232642
        ID: 200808-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Postfix incorrectly checks the ownership of a mailbox, allowing, in
certain circumstances, to append data to arbitrary files on a local
system with root privileges.

Background
=========
Postfix is Wietse Venema's mailer that attempts to be fast, easy to
administer, and secure, as an alternative to the widely-used Sendmail
program.

Affected packages
================
    -------------------------------------------------------------------
     Package           /  Vulnerable  /                     Unaffected
    -------------------------------------------------------------------
  1  mail-mta/postfix     < 2.5.3-r1                      *>= 2.4.7-r1
                                                           >= 2.5.3-r1

Description
==========
Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
delivery agent being used, this can lead to an arbitrary local file
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
delivery agent does not properly verify the ownership of a mailbox
before delivering mail (CVE-2008-2937).

Impact
=====
The combination of these features allows a local attacker to hardlink a
root-owned symlink such that the newly created symlink would be
root-owned and would point to a regular file (or another symlink) that
would be written by the Postfix built-in local(8) or virtual(8)
delivery agents, regardless the ownership of the final destination
regular file. Depending on the write permissions of the spool mail
directory, the delivery style, and the existence of a root mailbox,
this could allow a local attacker to append a mail to an arbitrary file
like /etc/passwd in order to gain root privileges.

The default configuration of Gentoo Linux does not permit any kind of
user privilege escalation.

The second vulnerability (CVE-2008-2937) allows a local attacker,
already having write permissions to the mail spool directory which is
not the case on Gentoo by default, to create a previously nonexistent
mailbox before Postfix creates it, allowing to read the mail of another
user on the system.

Workaround
=========
The following conditions should be met in order to be vulnerable to
local privilege escalation.

* The mail delivery style is mailbox, with the Postfix built-in
  local(8) or virtual(8) delivery agents.

* The mail spool directory (/var/spool/mail) is user-writeable.

* The user can create hardlinks pointing to root-owned symlinks
  located in other directories.

Consequently, each one of the following workarounds is efficient.

* Verify that your /var/spool/mail directory is not writeable by a
  user. Normally on Gentoo, only the mail group has write access, and
  no end-user should be granted the mail group ownership.

* Prevent the local users from being able to create hardlinks
  pointing outside of the /var/spool/mail directory, e.g. with a
  dedicated partition.

* Use a non-builtin Postfix delivery agent, like procmail or
  maildrop.

* Use the maildir delivery style of Postfix ("home_mailbox=Maildir/"
  for example).

Concerning the second vulnerability, check the write permissions of
/var/spool/mail, or check that every Unix account already has a
mailbox, by using Wietse Venema's Perl script available in the official
advisory.

Resolution
=========
All Postfix users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"

References
=========
  [ 1 ] CVE-2008-2936
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936
  [ 2 ] CVE-2008-2937
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937
  [ 3 ] Official Advisory
        
Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  https://security.gentoo.org/glsa/glsa-200808-12.xml

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo: GLSA-200808-12: Postfix: Local privilege escalation vulnerability

Postfix incorrectly checks the ownership of a mailbox, allowing, in certain circumstances, to append data to arbitrary files on a local system with root privileges

Summary

Gentoo Linux Security Advisory GLSA 200808-12 https://security.gentoo.org/ Severity: High Title: Postfix: Local privilege escalation vulnerability Date: August 14, 2008 Bugs: #232642 ID: 200808-12

Synopsis ======= Postfix incorrectly checks the ownership of a mailbox, allowing, in certain circumstances, to append data to arbitrary files on a local system with root privileges.
Background ========= Postfix is Wietse Venema's mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program.
Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-mta/postfix < 2.5.3-r1 *>= 2.4.7-r1 >= 2.5.3-r1
========== Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937).
Impact ===== The combination of these features allows a local attacker to hardlink a root-owned symlink such that the newly created symlink would be root-owned and would point to a regular file (or another symlink) that would be written by the Postfix built-in local(8) or virtual(8) delivery agents, regardless the ownership of the final destination regular file. Depending on the write permissions of the spool mail directory, the delivery style, and the existence of a root mailbox, this could allow a local attacker to append a mail to an arbitrary file like /etc/passwd in order to gain root privileges.
The default configuration of Gentoo Linux does not permit any kind of user privilege escalation.
The second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system.
Workaround ========= The following conditions should be met in order to be vulnerable to local privilege escalation.
* The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents.
* The mail spool directory (/var/spool/mail) is user-writeable.
* The user can create hardlinks pointing to root-owned symlinks located in other directories.
Consequently, each one of the following workarounds is efficient.
* Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership.
* Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition.
* Use a non-builtin Postfix delivery agent, like procmail or maildrop.
* Use the maildir delivery style of Postfix ("home_mailbox=Maildir/" for example).
Concerning the second vulnerability, check the write permissions of /var/spool/mail, or check that every Unix account already has a mailbox, by using Wietse Venema's Perl script available in the official advisory.
Resolution ========= All Postfix users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=mail-mta/postfix-2.5.3-r1"
References ========= [ 1 ] CVE-2008-2936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936 [ 2 ] CVE-2008-2937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937 [ 3 ] Official Advisory
Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/glsa-200808-12.xml
Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License ====== Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5

Resolution

References

Availability

Concerns

Severity

Synopsis

Background

Affected Packages

Impact

Workaround