Re: Stefan Fritsch 2006-10-29 <[EMAIL PROTECTED]> > Some tempfile race condition vulnerabilities have been found in mutt: > > CVE-2006-5297: > Race condition in the safe_open function in the Mutt mail client > 1.5.12 and earlier, when creating temporary files in an NFS > filesystem, allows local users to overwrite arbitrary files due to > limitations of the use of the O_EXCL flag on NFS filesystems. > > CVE-2006-5298: > The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and > earlier does not properly verify that temporary files have been > created with restricted permissions, which might allow local users to > create files with weak permissions via a race condition between the > mktemp and safe_fopen function calls.
Hi, here's the changelog for the NMU I'll upload in a minute. It'd be nice to see this included in etch. debdiff mutt_1.5.13-1.dsc /srv/pbuilder/result/mutt_1.5.13-1.1.dsc mutt-1.5.13/debian/changelog | 8 ++ mutt-1.5.13/debian/patches/series | 1 debian/patches/misc/tempfile-race.diff | 100 +++++++++++++++++++++++++++++++++ 3 files changed, 109 insertions(+) diff -u mutt-1.5.13/debian/changelog mutt-1.5.13/debian/changelog --- mutt-1.5.13/debian/changelog +++ mutt-1.5.13/debian/changelog @@ -1,3 +1,11 @@ +mutt (1.5.13-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Add upstream patch to fix insecure temp file generation + (Closes: #396104, CVE-2006-5297, CVE-2006-5298). + + -- Christoph Berg <[EMAIL PROTECTED]> Tue, 12 Dec 2006 14:49:24 +0100 + mutt (1.5.13-1) unstable; urgency=low * New upstream release, with a new pattern to match full threads (see diff -u mutt-1.5.13/debian/patches/series mutt-1.5.13/debian/patches/series --- mutt-1.5.13/debian/patches/series +++ mutt-1.5.13/debian/patches/series @@ -17,6 +17,7 @@ debian-specific/dont_document_not_present_features.diff -p0 misc/define-pgp_getkeys_command.diff -p0 +misc/tempfile-race.diff misc/autotools-update.diff -p0 upstream/thread_pattern_in_UPDATING.diff -p0 only in patch2: unchanged: --- mutt-1.5.13.orig/debian/patches/misc/tempfile-race.diff +++ mutt-1.5.13/debian/patches/misc/tempfile-race.diff @@ -0,0 +1,100 @@ +From: roessler <roessler> +Date: Mon, 9 Oct 2006 13:39:38 +0000 (+0000) +Subject: From: Thomas Roessler <[EMAIL PROTECTED]> +X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=f6404a53a2b7a9a3b36d89def185e1192abdd108 + + From: Thomas Roessler <[EMAIL PROTECTED]> + + Even more paranoid temporary file creation. +--- + +--- a/lib.c ++++ b/lib.c +@@ -481,14 +481,85 @@ int safe_rename (const char *src, const + return 0; + } + ++/* Create a temporary directory next to a file name */ ++ ++int mutt_mkwrapdir (const char *path, char *newfile, size_t nflen, ++ char *newdir, size_t ndlen) ++{ ++ const char *basename; ++ char parent[_POSIX_PATH_MAX]; ++ char *p; ++ int rv; ++ ++ strfcpy (parent, NONULL (path), sizeof (parent)); ++ ++ if ((p = strrchr (parent, '/'))) ++ { ++ *p = '\0'; ++ basename = p + 1; ++ } ++ else ++ { ++ strfcpy (parent, ".", sizeof (parent)); ++ basename = path; ++ } ++ ++ do ++ { ++ snprintf (newdir, ndlen, "%s/%s", parent, ".muttXXXXXX"); ++ mktemp (newdir); ++ } ++ while ((rv = mkdir (newdir, 0700)) == -1 && errno == EEXIST); ++ ++ if (rv == -1) ++ return -1; ++ ++ snprintf (newfile, nflen, "%s/%s", newdir, NONULL(basename)); ++ return 0; ++} ++ ++int mutt_put_file_in_place (const char *path, const char *safe_file, const char *safe_dir) ++{ ++ int rv; ++ ++ rv = safe_rename (safe_file, path); ++ unlink (safe_file); ++ rmdir (safe_dir); ++ return rv; ++} ++ + int safe_open (const char *path, int flags) + { + struct stat osb, nsb; + int fd; + +- if ((fd = open (path, flags, 0600)) < 0) +- return fd; ++ if (flags & O_EXCL) ++ { ++ char safe_file[_POSIX_PATH_MAX]; ++ char safe_dir[_POSIX_PATH_MAX]; + ++ if (mutt_mkwrapdir (path, safe_file, sizeof (safe_file), ++ safe_dir, sizeof (safe_dir)) == -1) ++ return -1; ++ ++ if ((fd = open (safe_file, flags, 0600)) < 0) ++ { ++ rmdir (safe_dir); ++ return fd; ++ } ++ ++ if (mutt_put_file_in_place (path, safe_file, safe_dir) == -1) ++ { ++ close (fd); ++ return -1; ++ } ++ } ++ else ++ { ++ if ((fd = open (path, flags, 0600)) < 0) ++ return fd; ++ } ++ + /* make sure the file is not symlink */ + if (lstat (path, &osb) < 0 || fstat (fd, &nsb) < 0 || + compare_stat(&osb, &nsb) == -1) Christoph -- [EMAIL PROTECTED] | http://www.df7cb.de/
signature.asc
Description: Digital signature
