88836 2005-04-12 05:22 0000 mail-client/pine: Pine rpdump File Creation Race Condition 2005-05-10 07:52:27 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://secunia.com/advisories/14899/ B4 [noglsa] jaervosz P2 minor --- 1 lewk@gentoo.org security@gentoo.org net-mail@gentoo.org ppc-macos@gentoo.org lewk@gentoo.org 2005-04-12 05:22:11 0000 TITLE: Pine rpdump File Creation Race Condition Vulnerability SECUNIA ADVISORY ID: SA14899 VERIFY ADVISORY: http://secunia.com/advisories/14899/ CRITICAL: Not critical IMPACT: Manipulation of data WHERE: Local system SOFTWARE: Pine 4.x http://secunia.com/product/710/ DESCRIPTION: Imran Ghory has reported a vulnerability in Pine, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to a race condition in the rpdump utility when creating files. The problem is that there is a larger gap between the time that a check is made to determine whether a local file exists and the time that the file is created. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the vulnerable program. Successful exploitation requires write permissions to the directory, which rpdump creates the local file in. The vulnerability has been reported in Pine 4.62. Other versions may also be affected. SOLUTION: Ensure that only the user has write permissions to the directory used for creating the file with rpdump. PROVIDED AND/OR DISCOVERED BY: Imran Ghory jaervosz@gentoo.org 2005-04-12 07:22:26 0000 net-mail please advise. ticho@gentoo.org 2005-04-12 16:35:09 0000 Upstream hasn't provided a patch yet, I will mail Eduardo Chappa (probably most active one there) and ask about it. ticho@gentoo.org 2005-04-13 08:10:04 0000 Mr. Chappa informed me that Pine team is aware of this vulnerability, and is working on it. He also commented on the vulnerability (there was no disclaimer with his e-mail, so I guess it's alright to reproduce): [quote] I saw the report and I took a look at the source code of rpdump, so I will tell you what I think. First off all, rpdump is a program that downloads remote configuration information of Pine to a local file. In another words, an attacker could be able to see a .pinerc file that a person is downloading. The attack requires that a user be able to write in someone elses directory, but in that case you can probably overwrite a .pinerc file, so the system is horribly configured. In my opinion this is not a big issue. The only information that you could gain by symlinking a .pinerc file is personal information about servers, no passwords can be obtained this way (unless the user writes explicitly in that file the passwords). I do not consider this information very interesting, unless one connects insecurely to those servers, in whose case it may be interesting for the attacker, but in that case, chances are that someone else already spied that connection and got the sensitive information necessary to connect to that server. By looking at the source code of rpdump, I see that pine checks for access to the local file that is going to be used to download such remote information, way before it creates such file, it does it even before it connects to the remote server. I myself don't know how a call to "access" will alert an attacker to create a symlink to a non existing file, I guess one could see it from the processes table, but I really don't see how useful this attack is. However, if you know of a way to do this, then there is enough time to do this attack (in the sense that it could take a couple of seconds to complete this operations, rarely it should take more than 10 seconds, and that's too long). [/quote] koon@gentoo.org 2005-04-21 01:06:17 0000 I tend to agree with the author this is not a serious thing, as almost all race conditions discovered by Imran are... vorlon@gentoo.org 2005-04-22 13:08:13 0000 CAN-2005-1066 ticho@gentoo.org 2005-05-05 16:32:33 0000 Ok, upstream has released 4.63 (few days ago, I failed to notice), which has this fixed (according to release notes). I've just committed an pine-4.63.ebuild to portage. jaervosz@gentoo.org 2005-05-05 22:20:24 0000 Thx Ticho. Arches please test and mark stable. Downgrading severity. ticho@gentoo.org 2005-05-06 00:18:16 0000 Stable on x86. ticho@gentoo.org 2005-05-06 00:19:40 0000 Oh, and ppc-macos should fix pine in regards to mit-krb5: RDEPEND.badindev 8 mail-client/pine/pine-4.61-r2.ebuild: ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] mail-client/pine/pine-4.62-r1.ebuild: ~ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] mail-client/pine/pine-4.62.ebuild: ~ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] mail-client/pine/pine-4.61-r4.ebuild: ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] mail-client/pine/pine-4.61-r3.ebuild: ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] mail-client/pine/pine-4.62-r2.ebuild: ~ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] mail-client/pine/pine-4.63.ebuild: ~ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] mail-client/pine/pine-4.61-r5.ebuild: ppc-macos(default-darwin/macos/10.3) ['app-crypt/mit-krb5'] hansmi@gentoo.org 2005-05-06 00:37:01 0000 Stable on ppc. gustavoz@gentoo.org 2005-05-06 07:00:14 0000 sparc stable. kloeri@gentoo.org 2005-05-06 15:22:22 0000 Stable on alpha + ia64. herbs@gentoo.org 2005-05-06 15:51:07 0000 Stable on amd64. jaervosz@gentoo.org 2005-05-09 23:20:15 0000 This one is ready for GLSA vote. I tend to vote NO. taviso@gentoo.org 2005-05-10 00:59:03 0000 I would agree, NO glsa for this questionable issue. ticho@gentoo.org 2005-05-10 02:20:58 0000 Yup, this is a very minor issue. NO glsa, if you need one more vote. :) jaervosz@gentoo.org 2005-05-10 07:52:27 0000 Changing to a full NO -> closing without GLSA.