Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64643 - net-mail/getmail-4.2 and -3.2.5 announced -- older versions are local exploitable if run as root
Summary: net-mail/getmail-4.2 and -3.2.5 announced -- older versions are local exploit...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa] lewk
Depends on:
Reported: 2004-09-19 07:20 UTC by Torsten Veller (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Veller (RETIRED) gentoo-dev 2004-09-19 07:20:45 UTC

Version 4.2.0
18 September 2004

  -SECURITY: previous versions of getmail contain a security vulnerability.
  A local attacker with a shell account could exploit a race condition (or a 
  similar symlink attack) to cause getmail to create or overwrite files in a 
  directory of the local user's choosing if the system administrator ran getmail 
  as root and delivered messages to a maildir or mbox file under the control of 
  the attacker, resulting in a local root exploit.  Fixed in versions 4.2.0
  and 3.2.5.
  This vulnerability is not exploitable if the administrator does not deliver
  mail to the maildirs/mbox files of untrusted local users, or if getmail is
  configured to use an external unprivileged MDA.  This vulnerability is
  not remotely exploitable.
  Thanks: David Watson.  My gratitude to David for his work on finding and
  analyzing this problem.
  -Now, on Unix-like systems when run as root, getmail forks a child
  process and drops privileges before delivering to maildirs or mbox files.
  getmail will absolutely refuse to deliver to such destinations as root;
  the uid to switch to must be configured in the getmailrc file.
  -revert behaviour regarding delivery to non-existent mbox files.  Versions
  4.0.0 through 4.1.5 would create the mbox file if it did not exist; in
  versions 4.2.0 and up, getmail reverts to the v.3 behaviour of refusing
  to do so.

renamed ebuild works.

Reproducible: Always
Steps to Reproduce:
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-19 07:41:28 UTC
net-mail please confirm and provide updated ebuild if necessary.
Comment 2 Andrej Kacian (RETIRED) gentoo-dev 2004-09-19 14:03:52 UTC
The ebuild for 4.2.0 now in CVS portage.
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-09-19 22:41:24 UTC
archs, please mark stable.
Comment 4 Torsten Veller (RETIRED) gentoo-dev 2004-09-19 23:02:01 UTC
My summary wasn't as precise as i could be:
"Fixed in versions 4.2.0 and 3.2.5."

If getmail-3 should remain in the tree then bump to 3.2.5.
Comment 5 Andrej Kacian (RETIRED) gentoo-dev 2004-09-19 23:44:05 UTC
We intended to remove getmail-3 from portage as soon as 4.0.2-r2 gets stable. As 4.2.0 will hopefully get marked stable soon, I'll remove -3 after that.
Comment 6 Jochen Maes (RETIRED) gentoo-dev 2004-09-20 02:39:00 UTC
marked 4.20 ppc 

If i need to mark every version stable from 3.2.5 till there please let me know (rather not but hey :-) )

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-20 08:00:12 UTC
Sparc stable.
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2004-09-20 08:07:09 UTC
Stable on x86
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-20 11:55:01 UTC
Stable on alpha.
Comment 10 Danny van Dyk (RETIRED) gentoo-dev 2004-09-21 14:10:46 UTC
stable on amd64
Comment 11 Andrej Kacian (RETIRED) gentoo-dev 2004-09-21 14:29:59 UTC
As 4.2.0 is stable on all arches set for it, I'm finally removing all getmail-3 ebuilds.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-23 14:07:40 UTC
GLSA 200409-32