Gentoo Bug 64643 - net-mail/getmail-4.2 and -3.2.5 announced -- older versions are local exploitable if run as root

Description:

Opened: 2004-09-19 07:20 0000

http://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOG:

Version 4.2.0
18 September 2004

  -SECURITY: previous versions of getmail contain a security vulnerability.
  A local attacker with a shell account could exploit a race condition (or a 
  similar symlink attack) to cause getmail to create or overwrite files in a 
  directory of the local user's choosing if the system administrator ran getmail 
  as root and delivered messages to a maildir or mbox file under the control of 
  the attacker, resulting in a local root exploit.  Fixed in versions 4.2.0
  and 3.2.5.
  This vulnerability is not exploitable if the administrator does not deliver
  mail to the maildirs/mbox files of untrusted local users, or if getmail is
  configured to use an external unprivileged MDA.  This vulnerability is
  not remotely exploitable.
  Thanks: David Watson.  My gratitude to David for his work on finding and
  analyzing this problem.
  -Now, on Unix-like systems when run as root, getmail forks a child
  process and drops privileges before delivering to maildirs or mbox files.
  getmail will absolutely refuse to deliver to such destinations as root;
  the uid to switch to must be configured in the getmailrc file.
  -revert behaviour regarding delivery to non-existent mbox files.  Versions
  4.0.0 through 4.1.5 would create the mbox file if it did not exist; in
  versions 4.2.0 and up, getmail reverts to the v.3 behaviour of refusing
  to do so.


renamed ebuild works.

Reproducible: Always
Steps to Reproduce:

------- Comment #1 From Sune Kloppenborg Jeppesen 2004-09-19 07:41:28 0000 -------

net-mail please confirm and provide updated ebuild if necessary.

------- Comment #2 From Andrej Kacian (RETIRED) 2004-09-19 14:03:52 0000 -------

The ebuild for 4.2.0 now in CVS portage.

------- Comment #3 From Luke Macken (RETIRED) 2004-09-19 22:41:24 0000 -------

archs, please mark stable.

------- Comment #4 From Torsten Veller 2004-09-19 23:02:01 0000 -------

My summary wasn't as precise as i could be:
"Fixed in versions 4.2.0 and 3.2.5."

If getmail-3 should remain in the tree then bump to 3.2.5.

------- Comment #5 From Andrej Kacian (RETIRED) 2004-09-19 23:44:05 0000 -------

We intended to remove getmail-3 from portage as soon as 4.0.2-r2 gets stable.
As 4.2.0 will hopefully get marked stable soon, I'll remove -3 after that.

------- Comment #6 From Jochen Maes (RETIRED) 2004-09-20 02:39:00 0000 -------

marked 4.20 ppc 

If i need to mark every version stable from 3.2.5 till there please let me know (rather not but hey :-) )

greetings

------- Comment #7 From Gustavo Zacarias (RETIRED) 2004-09-20 08:00:12 0000 -------

Sparc stable.

------- Comment #8 From Andrej Kacian (RETIRED) 2004-09-20 08:07:09 0000 -------

Stable on x86

------- Comment #9 From Bryan Østergaard (RETIRED) 2004-09-20 11:55:01 0000 -------

Stable on alpha.

------- Comment #10 From Danny van Dyk (RETIRED) 2004-09-21 14:10:46 0000 -------

stable on amd64

------- Comment #11 From Andrej Kacian (RETIRED) 2004-09-21 14:29:59 0000 -------

As 4.2.0 is stable on all arches set for it, I'm finally removing all getmail-3
ebuilds.

------- Comment #12 From Sune Kloppenborg Jeppesen 2004-09-23 14:07:40 0000 -------

GLSA 200409-32

Bug 64643 depends on:			Show dependency tree Show dependency graph
Bug 64643 blocks:			Show dependency tree Show dependency graph

Bugzilla Bug 64643

net-mail/getmail-4.2 and -3.2.5 announced -- older versions are local exploitable if run as root

Last modified: 2004-09-23 14:07:40 0000