Subject: muttprint: still vulnerable to symlink attack (race condition)
Date: Tue, 10 Oct 2017 13:17:54 +0200
Package: muttprint
Version: 0.73-8
Severity: grave
Tags: security upstream
Justification: user security hole
The muttprint Perl script contains:
my $logf = "/tmp/muttprint.log";
if (-e $logf)
{ ## 2008-12-24 -- Lukas Ruf
# close CVE-2008-5368 -- muttprint vulnerable to symlink attack
# ensure "/tmp/muttprint.log" adheres to the following constraints
# - owner is current user
# - only real files are allowed
# if any of these fail, create a temporary file by use of tempfile()
[...]
So, it first tests whether /tmp/muttprint.log exists, and potentially
use an alternate pathname if it does. But if a /tmp/muttprint.log
symlink is created between the test (which returns false) and the
time this file is created, there's a security issue.
It would be sufficient to use a secure temporary file unconditionally
(and this is probably better, as more predictable).
BTW, using a hardcoded /tmp for temporary files is a bad idea anyway.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages muttprint depends on:
ii libtext-iconv-perl 1.7-5+b6
ii perl 5.26.0-8
ii texlive-fonts-recommended 2017.20171004-1
ii texlive-latex-extra 2017.20171004-1
ii texlive-latex-recommended 2017.20171004-1
Versions of packages muttprint recommends:
ii emacs24-lucid [mail-reader] 24.5+1-11+local2
ii emacs25 [mail-reader] 25.2+1-6
ii evolution [mail-reader] 3.26.1-1
ii libtimedate-perl 2.3000-2
ii mailutils [mail-reader] 1:3.2-1
ii mutt [mail-reader] 1.8.3+neomutt20170609-2+b1
Versions of packages muttprint suggests:
pn compface <none>
ii dialog 1.3-20160828-2
ii emacs24-lucid [news-reader] 24.5+1-11+local2
ii emacs25 [news-reader] 25.2+1-6
ii imagemagick 8:6.9.7.4+dfsg-16
ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-16
ii lynx [news-reader] 2.8.9dev16-1
ii muttprint-manual 0.73-8
pn ospics <none>
ii psutils 1.17.dfsg-4
ii texlive-fonts-extra 2017.20171004-1
ii tin [news-reader] 1:2.4.1-1
-- no debconf information
Acknowledgement sent
to Moritz Muehlenhoff <[email protected]>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <[email protected]>.
(Tue, 10 Oct 2017 12:00:05 GMT) (full text, mbox, link).
Subject: Re: Bug#878138: muttprint: still vulnerable to symlink attack
(race condition)
Date: Tue, 10 Oct 2017 13:58:16 +0200
On Tue, Oct 10, 2017 at 01:17:54PM +0200, Vincent Lefevre wrote:
> Package: muttprint
> Version: 0.73-8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> The muttprint Perl script contains:
>
> my $logf = "/tmp/muttprint.log";
>
> if (-e $logf)
> { ## 2008-12-24 -- Lukas Ruf
> # close CVE-2008-5368 -- muttprint vulnerable to symlink attack
> # ensure "/tmp/muttprint.log" adheres to the following constraints
> # - owner is current user
> # - only real files are allowed
> # if any of these fail, create a temporary file by use of tempfile()
> [...]
>
> So, it first tests whether /tmp/muttprint.log exists, and potentially
> use an alternate pathname if it does. But if a /tmp/muttprint.log
> symlink is created between the test (which returns false) and the
> time this file is created, there's a security issue.
>
> It would be sufficient to use a secure temporary file unconditionally
> (and this is probably better, as more predictable).
>
> BTW, using a hardcoded /tmp for temporary files is a bad idea anyway.
This is neutralised by kernel hardening starting with stretch, see release notes:
https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
Cheers,
Moritz
Acknowledgement sent
to Vincent Lefevre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <[email protected]>.
(Tue, 10 Oct 2017 12:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <[email protected]>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <[email protected]>.
(Tue, 10 Oct 2017 12:30:03 GMT) (full text, mbox, link).
Subject: Re: Bug#878138: muttprint: still vulnerable to symlink attack
(race condition)
Date: Tue, 10 Oct 2017 14:27:24 +0200
On Tue, Oct 10, 2017 at 02:16:28PM +0200, Vincent Lefevre wrote:
> On 2017-10-10 13:58:16 +0200, Moritz Muehlenhoff wrote:
> > This is neutralised by kernel hardening starting with stretch, see release notes:
> > https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
>
> which is there just because of this kind of bugs.
>
> Note also that this is still an optional feature, and not all users
> use Debian provided kernels.
It is not optional, see the release notes section I quoted. If you run a custom kernel
you need to enable it, otherwise you're on your own.
Cheers,
Moritz
Acknowledgement sent
to Vincent Lefevre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <[email protected]>.
(Tue, 10 Oct 2017 13:45:07 GMT) (full text, mbox, link).
Subject: Re: Bug#878138: muttprint: still vulnerable to symlink attack (race
condition)
Date: Tue, 10 Oct 2017 15:42:40 +0200
On 2017-10-10 14:27:24 +0200, Moritz Muehlenhoff wrote:
> On Tue, Oct 10, 2017 at 02:16:28PM +0200, Vincent Lefevre wrote:
> > On 2017-10-10 13:58:16 +0200, Moritz Muehlenhoff wrote:
> > > This is neutralised by kernel hardening starting with stretch, see release notes:
> > > https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
> >
> > which is there just because of this kind of bugs.
> >
> > Note also that this is still an optional feature, and not all users
> > use Debian provided kernels.
>
> It is not optional, see the release notes section I quoted.
It is said: "It is enabled in the Debian Linux kernel by default."
^^^^^^^^^^
Thus, that's optional. There is no guarantee that it is enabled
after a system configuration change (done on purpose, due to a
bug, or whatever). One should not blindly rely on this feature.
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Acknowledgement sent
to Moritz Muehlenhoff <[email protected]>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <[email protected]>.
(Tue, 10 Oct 2017 14:12:07 GMT) (full text, mbox, link).
Subject: Re: Bug#878138: muttprint: still vulnerable to symlink attack
(race condition)
Date: Tue, 10 Oct 2017 16:02:31 +0200
On Tue, Oct 10, 2017 at 03:42:40PM +0200, Vincent Lefevre wrote:
> On 2017-10-10 14:27:24 +0200, Moritz Muehlenhoff wrote:
> > On Tue, Oct 10, 2017 at 02:16:28PM +0200, Vincent Lefevre wrote:
> > > On 2017-10-10 13:58:16 +0200, Moritz Muehlenhoff wrote:
> > > > This is neutralised by kernel hardening starting with stretch, see release notes:
> > > > https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
> > >
> > > which is there just because of this kind of bugs.
> > >
> > > Note also that this is still an optional feature, and not all users
> > > use Debian provided kernels.
> >
> > It is not optional, see the release notes section I quoted.
>
> It is said: "It is enabled in the Debian Linux kernel by default."
> ^^^^^^^^^^
> Thus, that's optional. There is no guarantee that it is enabled
> after a system configuration change (done on purpose, due to a
> bug, or whatever). One should not blindly rely on this feature.
It is not optional. You omitted to quote the second part:
"/tmp-related bugs which are rendered non-exploitable by this mechanism
are not treated as security vulnerabilities. If you use a custom
Linux kernel you should enable it using a sysctl setting"
Cheers,
Moritz
Acknowledgement sent
to Vincent Lefevre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <[email protected]>.
(Tue, 10 Oct 2017 14:39:07 GMT) (full text, mbox, link).
Subject: Re: Bug#878138: muttprint: still vulnerable to symlink attack (race
condition)
Date: Tue, 10 Oct 2017 16:34:58 +0200
On 2017-10-10 16:02:31 +0200, Moritz Muehlenhoff wrote:
> It is not optional.
The procfs(5) man page disagrees.
> You omitted to quote the second part:
>
> "/tmp-related bugs which are rendered non-exploitable by this mechanism
> are not treated as security vulnerabilities. If you use a custom
> Linux kernel you should enable it using a sysctl setting"
In any case, even though a symlink attack is not possible under this
condition, there's still a potential DoS in the code.
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.