Debian Bug report logs - #878138
muttprint: still vulnerable to symlink attack (race condition)

version graph

Package: muttprint; Maintainer for muttprint is Rene Engelhard <[email protected]>; Source for muttprint is src:muttprint (PTS, buildd, popcon).

Reported by: Vincent Lefevre <[email protected]>

Date: Tue, 10 Oct 2017 11:21:06 UTC

Severity: important

Tags: security, upstream

Found in version muttprint/0.73-8

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#878138: muttprint: still vulnerable to symlink attack (race condition)
Reply-To: Vincent Lefevre <[email protected]>, [email protected]
Resent-From: Vincent Lefevre <[email protected]>
Resent-To: [email protected]
Resent-CC: Rene Engelhard <[email protected]>
X-Loop: [email protected]
Resent-Date: Tue, 10 Oct 2017 14:39:06 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 878138
X-Debian-PR-Package: muttprint
X-Debian-PR-Keywords: security upstream
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>
X-Debian-PR-Source: muttprint
Received: via spool by [email protected] id=B878138.150764610110162
          (code B ref 878138); Tue, 10 Oct 2017 14:39:06 +0000
Received: (at 878138) by bugs.debian.org; 10 Oct 2017 14:35:01 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.1-bugs.debian.org_2005_01_02
	(2015-04-28) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.4 required=4.0 tests=BAYES_00,FOURLA,
	HAS_BUG_NUMBER,URIBL_CNKR autolearn=ham autolearn_force=no
	version=3.4.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 6; hammy, 132; neutral, 38; spammy, 0.
	spammytokens: hammytokens:0.000-+--H*F:D*vinc17.net,
	0.000-+--H*rp:D*vinc17.net, 0.000-+--HX-Mailer-Info:mutt,
	0.000-+--HX-Mailer-Info:www.vinc17.net, 0.000-+--D*vinc17.net
Received: from cventin.lip.ens-lyon.fr ([140.77.13.17])
	by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <[email protected]>)
	id 1e1vcb-0002dL-7G
	for [email protected]; Tue, 10 Oct 2017 14:35:01 +0000
Received: from vlefevre by cventin.lip.ens-lyon.fr with local (Exim 4.89)
	(envelope-from <[email protected]>)
	id 1e1vcY-0003wf-Rc; Tue, 10 Oct 2017 16:34:58 +0200
Date: Tue, 10 Oct 2017 16:34:58 +0200
From: Vincent Lefevre <[email protected]>
To: Moritz Muehlenhoff <[email protected]>
Cc: [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <[email protected]>
X-Mailer-Info: https://www.vinc17.net/mutt/
User-Agent: Mutt/1.9.1-7173-vl-r99863 (2017-09-30)

On 2017-10-10 16:02:31 +0200, Moritz Muehlenhoff wrote:
> It is not optional.

The procfs(5) man page disagrees.

> You omitted to quote the second part:
> 
> "/tmp-related bugs which are rendered non-exploitable by this mechanism 
> are not treated as security vulnerabilities. If you use a custom 
> Linux kernel you should enable it using a sysctl setting"

In any case, even though a symlink attack is not possible under this
condition, there's still a potential DoS in the code.

-- 
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Thu May 15 18:42:17 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.