Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621882 - <mail-mta/postfix-3.1.6: privilege escalation via postfix set-gid programs
Summary: <mail-mta/postfix-3.1.6: privilege escalation via postfix set-gid programs
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://www.postfix.org/announcements/...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-16 07:57 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-11-12 13:23 UTC (History)
1 user (show)

See Also:
Package list:
mail-mta/postfix-3.1.6
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-16 07:57:51 UTC 
From http://www.postfix.org/announcements/postfix-3.2.2.html:
> Fixed in all supported releases:
> 
>   Security: Berkeley DB versions 2 and later try to read settings from a
>   file DB_CONFIG in the current directory. This undocumented feature may
>   introduce undisclosed vulnerabilities resulting in privilege
>   escalation with Postfix set-gid programs (postdrop, postqueue) before
>   they chdir to the Postfix queue directory, and with the postmap and
>   postalias commands depending on whether the user's current directory
>   is writable by other users. This fix does not change Postfix behavior
>   for Berkeley DB versions < 3, but it does reduce postmap and
>   postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6.

Additional reference: http://seclists.org/oss-sec/2017/q2/452
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-16 08:01:46 UTC 
@ Arches,

please test and mark stable: =mail-mta/postfix-3.1.6
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-16 14:10:59 UTC 
amd64 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-17 15:09:39 UTC 
ia64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-17 17:26:57 UTC 
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 14:59:31 UTC 
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:05:20 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:18:35 UTC 
ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-06-23 04:40:41 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-07-07 09:09:35 UTC 
sparc stable
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:26:33 UTC 
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-21 09:30:51 UTC 
hppa stable.

Last arch is done.
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-21 15:44:13 UTC 
New GLSA Request filed.

@Maintainers please remove vulnerable versions.

Gentoo Security Padawan
ChrisADR
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 15:52:04 UTC 
This issue was resolved and addressed in
 GLSA 201709-20 at https://security.gentoo.org/glsa/201709-20
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 15:53:10 UTC 
re-opened for cleanup