When I try send mail with attachment mpack give me a message "File exists" and dont send a mail. $ mpack -s test file mail File exists net-mail/mpack-1.5-r1 work fine. Reproducible: Always
Created attachment 118097 [details, diff] Patch for mpack-1.6 Apply this patch instead of mpack-1.6-gentoo.patch already in portage. The difference between the two patches is that the change to use mkstemp have been reverted back to use mktemp. This should be safe as the temp file is opened with O_EXCL flag later in the program. When using mkstemp the file is created when mkstemp is called and opening file later with O_EXCL fails. This is reason for program giving "File exists" error. If mktemp should give a filename collision with an other temp file it still gives out an error when it is opened with O_EXCL flag set.
Your patch leads to this: cp unixpk.man mpack.1 xmalloc.c:27: error: conflicting types for 'malloc' xmalloc.c: In function 'xmalloc': xmalloc.c:37: warning: incompatible implicit declaration of built-in function 'exit' xmalloc.c: In function 'xrealloc': xmalloc.c:50: warning: incompatible implicit declaration of built-in function 'exit' make: *** [xmalloc.o] Error 1
I have only been able to reproduce the error, you mention, by NOT applying the patch. I will not take full credit for the patch as the patch I attached is largely based on the one already in portage. I only changed it back to use mktemp instead of mkstemp. Are you sure that you actually applied the patch to mpack?
FreeBSD[1][2] and Debian[3] already have the patches to fix this. I've download the FreeBSD patches except the patch-uudecode.c because gcc gave warnings (appending -Wall to the CFLAGS in the mpack Makefile) regarding the signedness (they changed char to unsigned char). I also sed'ed the TMPDIR from the FreeBSD default /tmp to /var/tmp (as the existing mpack-1.6-gentoo.patch does). Executing "mpack -s test file mail" sends file to mail successfully. The error "File exists" ocurred because (as Jonas said) of the use of O_CREAT with O_EXCL, not in mktemp() but on the open() syscall - in the unixos.c file (when O_CREAT and O_EXCL are both specified on open(), open() fails if the file already exists). The bzip'ed patch (15 patches total but they aren't bigger than 20Kb, but its a lot of patches) and the ebuild diff follows. [1]. http://www.freebsd.org/cgi/query-pr.cgi?pr=93967 [2]. http://www.freebsd.org/cgi/cvsweb.cgi/ports/converters/mpack/files/ [3]. http://packages.debian.org/changelogs/pool/main/m/mpack/mpack_1.6-4/changelog Portage 2.1.2.7 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r0, 2.6.20-gentoo-r8 x86_64) ================================================================= System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 19 Jun 2007 06:20:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="-akv" FEATURES="buildpkg ccache collision-protect distlocks fixpackages metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://mirrors1.netvisao.pt/gentoo http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 apache2 arts bash-completion bitmap-fonts cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread eds emboss encode evo fam firefox flac fortran gif gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility libg++ mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz mysql ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 122567 [details] net-mail/mpack-1.6 bzip'ed patches FreeBSD/Debian patches with the signedness modifications in the patch-uudecode.c FreeBSD patch file - i.e. don't change char to unsigned char.
Created attachment 122568 [details, diff] net-mail/mpack-1.6 ebuild diff
(In reply to comment #4) > FreeBSD[1][2] and Debian[3] already have the patches to fix this. Is upstream aware of them?
(In reply to comment #7) > Is upstream aware of them? I've mailed <mpack-bugs@andrew.cmu.edu> and heard nothing back.
Anything new about it? Just stumpled again over this bug after an update.
(In reply to comment #9) > Anything new about it? Just stumpled again over this bug after an update. I heard nothing back from <mpack-bugs@andrew.cmu.edu>.
@net-mail team: I have removed the ~amd64 kw from 1.6. Please add us back to CC if you decide to patch mpack (or create a new bug) to test. (However, IMHO, this is a candidate for treecleaners)
Here's a quick summary: - error "File exist" should be fixed in 1.6-r1, now - both 1.6 and 1.6-r1 seem vulnerable to a TOCTTOU attack to me - neither Debian [1] nor FreeBSD [2] seem to have proper patches for this, yet: Debian uses mktemp, FreeBSD uses "close(mkstemp(fnamebuf))", which looks vulnerable to me. +*mpack-1.6-r1 (07 Dec 2011) + + 07 Dec 2011; Sebastian Pipping <sping@gentoo.org> +mpack-1.6-r1.ebuild, + +files/mpack-1.6-compile.patch, +files/mpack-1.6-paths.patch: + The s/mktemp/mkstemp/ from <mpack-1.6-gentoo.patch> is broken: it does not + fully fix the TOCTTOU vulnerability but breaks sending of e-mails (bug + #171075). So I extracted the parts of (1) missing include, (2) wrong + prototypes and (3) system path corrections from that patch, made dedicated + files and added missing bits to each of these, and ripped the + s/mktemp/mkstemp/ part out. A proper TOCTTOU fix is left todo. It's not + trivial to do. + [1] http://ftp.de.debian.org/debian/pool/main/m/mpack/mpack_1.6-7.debian.tar.bz2 [2] http://www.freebsd.org/cgi/cvsweb.cgi/ports/converters/mpack/files/patch-unixpk.c?rev=1.1
PS: Upstream may be dead: - mpack-bugs (a) andrew.cmu.edu --> no reply yet - John G. Myers <jgm (a) cmu.edu> --> error - Christopher J. Newman <chrisn (a) cmu.edu> --> error
I have done a bit more research now, just received a CVE number and applied a patch. +*mpack-1.6-r2 (31 Dec 2011) + + 31 Dec 2011; Sebastian Pipping <sping@gentoo.org> +mpack-1.6-r2.ebuild, + +files/mpack-1.6-cve-2011-4919.patch: + Apply patch for CVE-2011-4919 (information disclosure) (bug #171075) +
*** Bug 396639 has been marked as a duplicate of this bug. ***
Just checked: the latest stable version in Gentoo (1.5-r1) is affected, too. Please stabilize 1.6-r2.
Arches, please test and mark stable: =net-mail/mpack-1.6-r2 Target keywords : "amd64 sparc x86"
amd64 stable
x86 stable
sparc keyword dropped
(In reply to comment #20) > sparc keyword dropped Please excuse that I add you back to CC so you see this reply for sure. I would be interested to hear about the rationale with dropping sparc. No objections, just curiosity. Thanks!
(In reply to comment #21) > (In reply to comment #20) > > sparc keyword dropped > > Please excuse that I add you back to CC so you see this reply for sure. I > would be interested to hear about the rationale with dropping sparc. No > objections, just curiosity. Thanks! sparc doesn't need this package, if any user that uses sparc still uses it he'll complain. Otherwise this just puts load on the sparc team(which is just me) and on the other hand the security team or the maintainer can go ahead with their procedures without waiting for sparc in the future.
Thanks, everyone. GLSA vote: no.
NO, too. Closing noglsa.
