Package: mailscanner Version: 4.55.10-3 Severity: grave Tags: security Hi,
I have found more issues on the autoupdate scripts and other files shipped by
mailscanner than those reported in CVE-2008-5140[1].
In 4.55.10-3, grepping the files throw this:
/etc/MailScanner/autoupdate/:
> f-prot-autoupdate:$TempDir = "/var/tmp/f-prot";
> f-prot-autoupdate:$TmpFile = "tmp-web";
> clamav-autoupdate:$LogFile = "/tmp/ClamAV.update.log";
> panda-autoupdate.new:TEMPDIR="/tmp"
> trend-autoupdate.new:wget -q -O /tmp/$OPRINI $FTPSERV/opr.ini
> trend-autoupdate.new:NEWVER=`grep PatternVersionNPF /tmp/opr.ini.$$ | sed
s/^PatternVersionNPF=//g | cut -c 3-5`
> trend-autoupdate.new: wget -q -P /tmp $FTPSERV/lpt$NEWVER.zip
> trend-autoupdate.new: DATCHECK=`unzip -o -t /tmp/lpt$NEWVER.zip |
> grep "No errors"`
> trend-autoupdate.new: mv /tmp/lpt$NEWVER.zip /etc/iscan
> trend-autoupdate.new:rm -f /tmp/lpt*.zip /tmp/$OPRINI $PackageDir/*.zip
> rav-autoupdate.new:my($LockFile) = '/tmp/RavBusy.lock';
(omitting other affected files in that package version, read below)
In 4.68.8-1:
/etc/MailScanner/autoupdate/:
> f-prot-autoupdate:$TempDir = "$FProtRoot/tmp";
> f-prot-autoupdate:$TmpFile = "tmp-web";
> clamav-autoupdate:$LogFile = "/tmp/ClamAV.update.log";
> avast-autoupdate:$LogFile = "/tmp/Avast.update.log";
> f-prot-6-autoupdate:my $logfile = "/tmp/f-prot-6-update-$$";
> f-prot-6-autoupdate: unlink "/tmp/fpavdef.lock";
/etc/MailScanner/wrapper/:
> bitdefender-wrapper:LogFile=/tmp/log.bdc.$$
> kaspersky-wrapper: Report=/tmp/kavoutput.tmp.$$
> kaspersky-wrapper: Report=/tmp/kavoutput.tmp.$$
> kaspersky-wrapper: Report=/tmp/kavoutput.tmp.$$
> clamav-wrapper:TempDir="/tmp/clamav.$$"
> clamav-wrapper:if [ -x "${TempDir}" ]; then
> clamav-wrapper: rm -rf ${TempDir} >/dev/null 2>&1
> clamav-wrapper:mkdir "${TempDir}" >/dev/null 2>&1
> clamav-wrapper:trap "rm -rf ${TempDir}" EXIT
> clamav-wrapper: ExtraScanOptions="$ExtraScanOptions --tempdir=${TempDir}"
> clamav-wrapper: chown ${ClamUser}:${ClamGroup} "${TempDir}"
> clamav-wrapper:if [ -x "${TempDir}" ]; then
> clamav-wrapper: rm -rf ${TempDir}
> rav-wrapper:my $tmpdir = '/tmp';
> rav-wrapper:my $reportfile = sprintf('%s/report.vir.%s', $tmpdir, $$);
/usr/share/MailScanner/MailScanner/:
> Quarantine.pm: $testfn = MailScanner::Config::Value('lockfiledir')
> || '/tmp';
> TNEF.pm: require File::Temp;
> TNEF.pm: mkdir "/tmp/tnef.$$", 0777;
> TNEF.pm: chmod 0700, "/tmp/tnef.$$";
> TNEF.pm: output_dir => "/tmp/tnef.$$",
> TNEF.pm: system("rm -rf /tmp/tnef.$$");
> TNEF.pm: system("rm -rf /tmp/tnef.$$");
> MessageBatch.pm: my $newmessage = MailScanner::Message->new(1, '/tmp', 1);
> MessageBatch.pm: my $fh = new FileHandle(">/tmp/MSLint.body.$$");
> MessageBatch.pm: $newmessage->{store}->{dpath} = "/tmp/MSLint.body.$$";
> WorkArea.pm: $testfn = MailScanner::Config::Value('lockfiledir') ||
> '/tmp';
> WorkArea.pm: or MailScanner::Log::DieLog("Cannot create temporary Work
> Dir %s. " .
> SA.pm: # Create the $TMPDIR for SpamAssassin if necessary, then check we
> can
> SA.pm: # write to it. If not, change to /tmp.
> SA.pm: my $tmpdir = MailScanner::Config::Value('spamassassintempdir');
> SA.pm: mkdir $tmpdir;
> SA.pm: stat $tmpdir; # Is the directory writeable?
> SA.pm: $tmpdir = '/tmp' unless -d _ && -r _ && -w _ && -x _;
> SA.pm: $ENV{'TMPDIR'} = $tmpdir;
> SA.pm: MailScanner::Log::InfoLog("SpamAssassin temporary working directory
> is %s",
> SA.pm: $tmpdir);
> SA.pm: print STDERR "SpamAssassin temp dir = $tmpdir\n";
Other dirs:
> /etc/MailScanner/mailscanner.conf.with.mcp:Lockfile Dir = /tmp
> /usr/sbin/MailScanner: unlink "/tmp/MSLint.body.$$";
> /usr/sbin/MailScanner: $msg = MailScanner::Message->new('1','/tmp','fake');
I'm using severity grave as this package should definitely not be shipped in
any release as is.
A good start point to fix this mess is by checking the above mentioned files,
and then grep -riE "\bte?mp[^l]" path/to/code, and carefully review the
matches files.
Of course, not even that would guarantee that there are no left ways to
conduct symlink attacks via temporary files.
A full code audition is really needed IMHO.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5140
http://security-tracker.debian.net/tracker/CVE-2008-5140
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.

