** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** Sebastian Krahmer of Suse reported that Postfix (1) checks whether a mailbox is a symlink, but does no do so for root. This could allow privilege escalation by creating a hardlink to a root-owned symlink (such as /etc/init.d/net* on Gentoo), and delivering mail to the root user. (2) does not check whether the mailbox already exists but is owned by a different user.
Created attachment 161331 [details, diff] patch for privilege escalation via hardlinked symlinks suitable for postfix >2.0
CVE-2008-2936 postfix priv esc CVE-2008-2937 postfix (maybe others) spool file bad permissions The attached patch is addressing CVE-2008-2936, the other issue will be handled via "the regular non-emergency release process" probably over this weekend. Chtekk/dertobi123, could you already prepare an ebuild, simple epatch added to 2.4.6-r2 appears to work alright. I am not sure when the other issue will be fixed or at what time this patch will be released yet. Adding robbat2 for infra, in case they might be interested in this.
(In reply to comment #2) > The attached patch is addressing CVE-2008-2936, the other issue will be handled > via "the regular non-emergency release process" probably over this weekend. The patch applies and compiles fine for 2.4.*, but not for 2.5.2 - is there another patch for 2.5? > Chtekk/dertobi123, could you already prepare an ebuild, simple epatch added to > 2.4.6-r2 appears to work alright. I am not sure when the other issue will be > fixed or at what time this patch will be released yet. I'm attaching a diff between -r2 and -r3 plus the updated -r3 ebuild. Besides adding that epatch line I also changed the way the include and library path for postgres are determined, that fix is used in 2.5.2 since around ~6 weeks and shouldn't cause any issue when stabling 2.4.6-r3.
Created attachment 161366 [details] Diff between 2.4.6-r2 and 2.4.6-r3
Created attachment 161368 [details] postfix-2.4.6-r3.ebuild
Before cc'ing arch liaisons I would wait for a patch to the other CVE.
Postfix 2.5.3 has been released, the ChangeLog doesn't mention a fix for CVE-2008-2937. As for CVE-2008-2936: 20080725 Paranoia: defer delivery when a mailbox file is not owned by the recipient. Requested by Sebastian Krahmer, SuSE. Specify "strict_mailbox_ownership=no" to ignore ownership discrepancies. Files: local/mailbox.c, virtual/mailbox.c.
Created attachment 161569 [details, diff] postfix-2.4.7-CVE-2008-2936.patch unified diff
Created attachment 161570 [details, diff] postfix-2.4.7-CVE-2008-2937.patch backported patch from 2.5.3
Created attachment 161572 [details] postfix-2.4.7-r1-overlay.tar.gz tar'ed up overlay
Tobias: I backported the patch and named them consistently. I'm not sure how you feel about 2.4.7 going stable, but it seemed easiest to me documentation-wise. If you could test/approve the attached overlay, we can cc arches. Expected embargo date is Aug. 14
Created attachment 162101 [details] postfix-2.5.3-r1.ebuild
Created attachment 162102 [details] postfix-2.5.3-CVE-2008-2936.patch
(In reply to comment #11) > Tobias: I backported the patch and named them consistently. I'm not sure how > you feel about 2.4.7 going stable, but it seemed easiest to me > documentation-wise. If you could test/approve the attached overlay, we can cc > arches. > > Expected embargo date is Aug. 14 > As discussed with Robert on IRC i'd prefer to go with 2.5.3(-r1 that is) instead of backporting the fixes to 2.4.7-r1 because the patch for CVE-2008-2937 changes postfix' behaviour. I'd ask all arch teams to test 2.5.3-r1 but also 2.4.7-r1 so we a fallback option if problems in 2.5.3 show up (i don't expect so, there are no open bugs reported on 2.5.*) plus updating from 2.4 to 2.5 should be quite simple.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : keytoaster hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : tsunam
Sparc looks OK. Built with USE flags: USE='ldap mailwrapper mysql pam ssl'
looks good on ppc64
HPPA is OK for both.
Fine on amd64.
Adding maekke for x86
I would not rate it A1 because of the very particular conditions needed to exploit this issue. By the way, on Gentoo with /var/spool/mail having permissions 775 root:mail, it's only a (mail group) -> root privilege escalation. And, by default, the mail group contains no end-user. I'm even not sure Gentoo should be considered as affected.
Looks okay on alpha/ia64/x86
We could rerate it B1 due to the fact that it only affects mbox setups with users in the "mail" group or /var/mail being 01777. I would consider Gentoo affected because we do not discourage configurations that would be affected, even if they are not default.
(In reply to comment #23) > We could rerate it B1 due to the fact that it only affects mbox setups with > users in the "mail" group or /var/mail being 01777. OK for B1.
i'm ready to commit the stuff within a few hours. Every supported arch reported it's fine. Except ppc for which it has not been validated yet. Thanks for your efficient work, everybody!
(In reply to comment #25) > i'm ready to commit the stuff within a few hours. Every supported arch reported > it's fine. Except ppc for which it has not been validated yet. > > Thanks for your efficient work, everybody! > *cough* of couse it has been validated for ppc :P so yeah, it's good to got for ppc ;)
opening to the public domain since it's now public
And GLSA 200808-12. Thanks for your good work everybody!
*** Bug 242638 has been marked as a duplicate of this bug. ***
Hi, i have 2.4.9 and glsa-check still reports it as vulnerable. c1 etc # glsa-check -l | grep "\[N" [A] means this GLSA was already applied, [U] means the system is not affected and [N] indicates that the system might be affected. 200808-12 [N] Postfix: Local privilege escalation vulnerability ( mail-mta/postfix ) c1 etc # equery l postfix [ Searching for package 'postfix' in all categories among: ] * installed packages [I--] [ ] mail-mta/postfix-2.4.9 (0)
corrected, thanks.