Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2022-003: Race condition in mail.local(8)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
NetBSD Security Advisory 2022-003
=================================
Topic: Race condition in mail.local(8)
Version: NetBSD-current: affected prior to 2022-05-17
NetBSD 10: not affected
NetBSD 9*: affected
NetBSD 8*: affected
Severity: Local user may be able to own any file or append arbitrary
data
Fixed: NetBSD-current: May 17, 2022
NetBSD-9 branch: May 17, 2022
NetBSD-8 branch: May 17, 2022
Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
A race condition exists in the mail.local(8) (/usr/libexec/mail.local)
program which is setuid root. That may be exploited in order to change
the ownership of or append arbitrary data to an arbitrary file.
A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.
This was originally addressed in NetBSD-SA2016-006 and has been
assigned CVE-2016-6253. The fix proved inefficient and had to
be fixed again, which is the reason for this new advisory.
Technical Details
=================
The user mailbox (typically /var/mail/$USER) which is used to deliver a
message, is checked using lstat(2) to verify that the file is not a symlink.
Then if the file is not a symlink, it's opened. If the file does not
exist, it is created with another open(2) call. There is a tiny window
between the two open calls in which the attacker could symlink it
to a arbitrary file, and the mail.local program then would chown
the file the symlink points to.
Solutions and Workarounds
=========================
Potential workaround is to remove /usr/libexec/mail.local, if you use
postfix(1) as the only way of delivering mails. mail.local(8) program was used
by sendmail(8) which is no longer shipped with the NetBSD (currently
postfix(1) is used as a default MTA). mail.local(8) dependency should be
checked manually in case of other MTAs).
To apply a fixed version from a releng build, fetch a fitting
base.{tgz,tar.xz} from nycdn.NetBSD.org and extract the fixed binaries:
cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz libexec/mail.local
with the following replacements:
REL = the release version you are using
BUILD = the source date of the build. %DATE%* and later will fit
ARCH = your system's architecture
The following instructions describe how to upgrade your mail.local(8)
binaries by updating your source tree and rebuilding and
installing a new version of mail.local(8).
* NetBSD-current:
Systems running NetBSD-current dated from before 2022-05-18
should be upgraded to NetBSD-current dated 2022-05-18 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/libexec/mail.local
To update from CVS, re-build, and re-install mail.local(8):
# cd src
# cvs update -d -P libexec/mail.local
# cd libexec/mail.local
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 8.* or 9.*:
Systems running NetBSD 8.* or 9.* sources dated from before
2022-05-18 should be upgraded from NetBSD 8.* or 9.* sources dated
2022-05-18 or later.
The following files/directories need to be updated from the
netbsd-8 or netbsd-9 branches:
src/libexec/mail.local
To update from CVS, re-build, and re-install mail.local(8):
# cd src
# cvs update -r <branch_name> -d -P libexec/mail.local
# cd libexec/mail.local
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Jan Schaumann for pointing out the ineffectiveness of the original 2016-07-19
fix.
Revision History
================
2022-10-04 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-003.txt.asc
Information about NetBSD and NetBSD security can be found at
https://www.NetBSD.org/
https://www.NetBSD.org/Security/
Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2022-003.txt,v 1.1 2022/10/04 13:48:16 christos Exp $
-----BEGIN PGP SIGNATURE-----
iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmM8OaEcHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J//cKD/9u06K8UJCYh+w2ax0p
csmLj+vy62LqaaDQTbsDhqNB0zwDJsxKSqEsguP6zZhJqoQ+dUTLr8gHzyij7ARq
R02AXntyThpzPkTO61yklcKANzRdf9jQjJ/N6MzsqcFxP0xbtE48G4oDDDYNU7nn
eVQ0nI6XnaozZtyITJ5AQh7jUEzf0RHtfmE1mzuID41HM1rctow0n9ubmpoD3rq/
mwtfNFeRh5jyrCQtHKXMlly9M7kGFT1ZldKO2HHP3NHH1c3stCZ1Qj6jdm0mKXih
fgRFRs8hwl37qn1jxMTFd0/G7tsz5ox3/7LccxS181S2kghQ3q5F4bz2hO8GWL0d
C36VQj3ySmsECnSSjt709y6venTMCcmdERvOGjXNVtU2OYBuikzT8RQl1iNBMt4l
iBVh2/PtkvdAu1Yx9VVDbA+HLQj1ZNnr9ai2qckFOF2vHeAffHD9WeI4qINRhvJ5
pzgKikKHWKKID2crDsH0CxGVLq8RzU8a71+JrN3PSbaoXQT7kFsWMvXWWJrsmpVK
vNCqnYD1+hZgHvGidxiBFSog9rHJRzAebTISs+In+rlsL4SigrLOq5ZoD1bFLu0s
CCVKTIT2upWzri19+rz+SxkKobCSGLHVDruwc1nCm9pHP/00WRSuIjHWnHWRqTKi
xGDmiSbukLlLhq9ul+Zb3pI2KA==
=Swxd
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index