CVE-2008-5312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5312): mailscanner 4.55.10 might allow local users to overwrite arbitrary files via a symlink attack on certain temporary files used by the (1) f-prot-autoupdate, (2) clamav-autoupdate, (3) panda-autoupdate.new, (4) trend-autoupdate.new, and (5) rav-autoupdate.new scripts in /etc/MailScanner/autoupdate/, a different vulnerability than CVE-2008-5140.
* Fixes * 2 Major work on removing symlink attack vulnerabilities affecting -autoupdate lock files. Note: This vulnerability only affected systems where normal interactive users could log in to the system, or create arbitrary symlinks in your filesystem. So the ISP-style setups were never vulnerable, as they didn't allow normal users to login or allow people to arbitrarily create symlinks in the filesystem. 2 Removed symlink attack vulnerabilities in SpamAssassin and tnef handlers. So, let's update to 4.74.12-1.
4.74.13-1 is out and fixes additional symlink attacks, but there are more to be fixed, so please wait with the update.
*** Bug 249275 has been marked as a duplicate of this bug. ***
is " 12/1/2009 - A few minor problems have cropped up in the latest 4.74 release, so I have fixed them and released 4.74.16." fixing it?
Most stuff seems fixed, but some issues were disputed, we should check the code again to see how serious it is...
The Author does not seem to learn it. There are still several symlink issues in the code, even some new ones, despite my warnings by mail. Also, version 4.79.11-1 bundles the following libs: Archive-Zip-1.16 bignum-0.23 Compress-Zlib-1.41 Convert-BinHex-1.119 Convert-TNEF-0.17 DBD-SQLite-1.25 DBI-1.607 Digest-HMAC-1.01 Digest-MD5-2.36 Digest-SHA1-2.11 ExtUtils-MakeMaker-6.50 File-Spec-0.82 Filesys-Df-0.90 File-Temp-0.20 Getopt-Long-2.38 HTML-Parser-3.64 HTML-Tagset-3.03 IO-1.2301 IO-stringy-2.110 MailScanner-4.79.11-1 MailTools-2.04 Math-BigInt-1.89 Math-BigRat-0.22 MIME-Base64-3.07 MIME-tools-5.427 Net-CIDR-0.13 Net-DNS-0.65 Net-IP-1.25 OLE-Storage_Lite-0.16 Pod-Escapes-1.04 Pod-Simple-3.05 Scalar-List-Utils-1.19 Storable-2.16 Sys-Hostname-Long-1.4 Sys-Syslog-0.27 Test-Harness-2.64 Test-Pod-1.26 Test-Simple-0.86 TimeDate-1.16 Time-HiRes-1.9707 tnef-1.4.5 Let's *please* punt this *cough* crap *cough*.
(In reply to comment #6) > Let's *please* punt this *cough* crap *cough*. You got it. # Samuli Suominen <ssuominen@gentoo.org> (16 Mar 2010) # Masked for QA and security. # # Over 40 bundled libs and several symlink vulnerabilities # # http://bugs.gentoo.org/show_bug.cgi?id=253657#c6 # # Removal in 30 days mail-filter/MailScanner
Not sure where you got this bundling issue from, but I have installed MailScanner-4.79.11.1 and none of the mentioned libs seems to be bundled, or if they are part of the tarball, they aren't installed. The following are all Perl modules installed: /usr/lib64/MailScanner/MailScanner/Antiword.pm /usr/lib64/MailScanner/MailScanner/BinHex.pm /usr/lib64/MailScanner/MailScanner/Config.pm /usr/lib64/MailScanner/MailScanner/ConfigDefs.pl /usr/lib64/MailScanner/MailScanner/CustomConfig.pm /usr/lib64/MailScanner/MailScanner/CustomFunctions /usr/lib64/MailScanner/MailScanner/CustomFunctions/MyExample.pm /usr/lib64/MailScanner/MailScanner/Exim.pm /usr/lib64/MailScanner/MailScanner/EximDiskStore.pm /usr/lib64/MailScanner/MailScanner/FileInto.pm /usr/lib64/MailScanner/MailScanner/GenericSpam.pm /usr/lib64/MailScanner/MailScanner/LinksDump.pm /usr/lib64/MailScanner/MailScanner/Lock.pm /usr/lib64/MailScanner/MailScanner/Log.pm /usr/lib64/MailScanner/MailScanner/MCP.pm /usr/lib64/MailScanner/MailScanner/MCPMessage.pm /usr/lib64/MailScanner/MailScanner/Mail.pm /usr/lib64/MailScanner/MailScanner/Message.pm /usr/lib64/MailScanner/MailScanner/MessageBatch.pm /usr/lib64/MailScanner/MailScanner/PFDiskStore.pm /usr/lib64/MailScanner/MailScanner/Postfix.pm /usr/lib64/MailScanner/MailScanner/QMDiskStore.pm /usr/lib64/MailScanner/MailScanner/Qmail.pm /usr/lib64/MailScanner/MailScanner/Quarantine.pm /usr/lib64/MailScanner/MailScanner/Queue.pm /usr/lib64/MailScanner/MailScanner/RBLs.pm /usr/lib64/MailScanner/MailScanner/SA.pm /usr/lib64/MailScanner/MailScanner/SMDiskStore.pm /usr/lib64/MailScanner/MailScanner/Sendmail.pm /usr/lib64/MailScanner/MailScanner/SweepContent.pm /usr/lib64/MailScanner/MailScanner/SweepOther.pm /usr/lib64/MailScanner/MailScanner/SweepViruses.pm /usr/lib64/MailScanner/MailScanner/SystemDefs.pm /usr/lib64/MailScanner/MailScanner/TNEF.pm /usr/lib64/MailScanner/MailScanner/Unzip.pm /usr/lib64/MailScanner/MailScanner/WorkArea.pm /usr/lib64/MailScanner/MailScanner/ZMDiskStore.pm /usr/lib64/MailScanner/MailScanner/ZMailer.pm
(In reply to comment #8) > Not sure where you got this bundling issue from, but I have installed > MailScanner-4.79.11.1 and none of the mentioned libs seems to be bundled, or if > they are part of the tarball, they aren't installed. Indeed. The upstream author (Julian Field) provides bundled tarballs for convenience on various distribs, but the gentoo ebuild doesn't install anything from those tarballs except MailScanner itself. The version in the gentoo tree is ancient; I have a homegrown ebuild (adapted from the version in the tree) for the latest version of MailScanner and would be happy to work with gentoo devs to do the necessary QA, and if necessary liaise with Julian to resolve any upstream issues.
(In reply to comment #9) > (In reply to comment #8) > > Not sure where you got this bundling issue from, but I have installed > > MailScanner-4.79.11.1 and none of the mentioned libs seems to be bundled, or if > > they are part of the tarball, they aren't installed. > > Indeed. The upstream author (Julian Field) provides bundled tarballs for > convenience on various distribs, but the gentoo ebuild doesn't install anything > from those tarballs except MailScanner itself. > > The version in the gentoo tree is ancient; I have a homegrown ebuild (adapted > from the version in the tree) for the latest version of MailScanner and would > be happy to work with gentoo devs to do the necessary QA, and if necessary > liaise with Julian to resolve any upstream issues. > Seconded, I also keep a local overlay with the latest version adapted.
Indeed, you're right. I'm not sure if I tested an older version because of the bundling, or if I just got it wrong there. But this is not the main problem, the symlink vulnerabilites are. Despite several mails, the author doesn't really look into security problems and seems to repeat them. Do a "grep -r /tmp *" and have some fun... :( I suggest you make the overlay public, so that others who dare using this, can do so.
Assuming this is running on a dedicated mail server, no users allowed access other than admin-level to perform upgrades/security patches, is there any symlink attack? If not, I think this seems really bogus to completely remove it from Gentoo. We are using this package in a dedicated mail server and it will make our life quite difficult to have to transition away from this. You can't just say it'll be removed in 30 days, that's not cool.
(In reply to comment #12) > We are using this package in a dedicated mail server and it will make our life > quite difficult to have to transition away from this. You can't just say it'll > be removed in 30 days, that's not cool. Firstly, there won't be any need to transition away from MailScanner just because gentoo remove an ebuild from their tree. Secondly, you're right that on a dedicated mail server with no local user logins, symlink attacks are effectively irrelevant. But that's not to say that they shouldn't be fixed; of course they should. Unfortunately the upstream author also has major health issues to deal with, but a fix should be forthcoming nonetheless - just give him time. Thirdly, the few affected scripts are not part of the core functionality of MailScanner, but are helper scripts for antivirus updates. AFAIK the antivirus programs concerned (bitdefender, kaspersky) are not available as gentoo ebuilds, so perhaps the easiest solution, at least until an upstream fix is available, would simply be not to install these scripts in the first place. I hope that the tree admins can be persuaded to leave MailScanner in the tree, masked, until an upstream fix becomes available.
I really have hard time understand where is the bugs on Mailscanner. Please help to advise us more in detail on the issue. Thank You
After discussion with the upstream author and checking through all the scripts, I can't find a single symlink vulnerability in MailScanner 4.79.11. In every case where a file is created in /tmp with a hard-coded or predictable name, the file is unlinked or rm -f'ed immediately before it is re-created. Unless anyone has evidence to the contrary regarding symlink vulnerabilities, can we please close this bug and drop the threatened deletion from the tree? Once that is done I'll open a new bug to bump MailScanner to 4.80 (currently in upstream beta, due to be released as upstream stable in the next couple of weeks).
Removed from main tree. Can be readded when upstream has something clean.
(In reply to comment #16) > Removed from main tree. Can be readded when upstream has something clean. On what basis? Nobody has demonstrated any vulnerabilities in the current upstream stable version (4.79.11) that is (was?) in the tree, and the claims about bundled libraries were totally false. It's not enough to state "just grep through the code", if you actually take the time to *read* the code it can be clearly seen to be safe.
Created attachment 255209 [details] Ebuild against latest stable version Hi! I've updated several weeks ago the last published ebuild for MailScanner. Fixed some dependencies also, works fine so far. Looking for the mentioned security problems with this updated version, especially for the symlink problems, and I've found nothing at all. Please explain what should I look for an where! # emerge -pv MailScanner [ebuild R ] mail-filter/MailScanner-4.81.4.1 USE="clamav postfix spamassassin -doc -exim" 0 kB [1] Regars, Gergely
Old package, long gone. noglsa.