dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Progeny Security Advisory: mailx buffer overflow

Apr 09, 2001, 23:00 (2 Talkback[s])
Date:         Mon, 9 Apr 2001 06:31:31 -0500
Reply-To: Progeny Security Team <security@PROGENY.COM>
Sender: Bugtraq List 
From: Progeny Security Team 
Subject:      PROGENY-SA-2001-03: mailx buffer overflow

 ---------------------------------------------------------------------------
 PROGENY LINUX SYSTEMS -- SECURITY ADVISORY               PROGENY-SA-2001-03
 ---------------------------------------------------------------------------

    Topic:          mailx buffer overflow

    Category:       mail
    Module:         mailx
    Announced:      2001-04-09
    Credits:        Debian Security Team 
    Affects:        Progeny Debian (mailx prior to 8.1.1-10.1.5progeny1)
                    Debian GNU/Linux (mailx prior to 8.1.1-10.1.5)
    Vendor-Status:  New Version Released (mailx_8.1.1-10.1.5progeny1)
    Corrected:      2001-04-09
    Progeny Only:   NO

    $Id: PROGENY-SA-2001-03,v 1.5 2001/04/09 08:39:58 csg Exp $

 ---------------------------------------------------------------------------


SYNOPSIS

A buffer overflow in mailx allows a local user to gain access to the
mail group.


PROBLEM DESCRIPTION

Mailx is a simple program to read and send e-mail.  Mailx is installed
setgid mail on Progeny and Debian systems.  A buffer overflow in mailx
allows for a local user to gain access to the mail group, which would
allow that user to read and write to other mail spools.

Debian resolved this problem by no longer shipping mailx setgid mail.
Progeny has decided to use Debian's fix.  This means that on mail
systems that do not have world writable mail spools one will not be
able to properly lock one's mailbox.


IMPACT

Local users can compromise the privileges of the mail group.


SOLUTION

Upgrade to a fixed version of mailx.  You may use Progeny's mailx package,
version mailx_8.1.1-10.1.5progeny1, for convenience.


WORKAROUND

 1. If you do not have the suidmanager package (which supplies the
    suidregister command) installed you can retrieve it by running the
    following command.  If you already have this package skip to the
    second step of the workaround.

        apt-get update && apt-get install suidmanager

 2. Now you can manually apply this fix by running the following as root:

        suidregister /usr/bin/mail root root 0755


UPDATING VIA APT-GET

 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
    security update repository:

        deb http://archive.progeny.com/progeny updates/newton/

 2. Update your cache of available packages for apt(8).

    Example:

        # apt-get update

 3. Using apt(8), install the new kernel package.  apt(8) will download
    the update, verify it's integrity with md5, and then install the
    package on your system with dpkg(8).

    Example:

        # apt-get install mailx


UPDATING VIA DPKG

 1. Using your preferred FTP/HTTP client to retrieve the following
    updated files from Progeny's update archive at:

    http://archive.progeny.com/pub/progeny/updates/newton/

    Filename                             MD5 Checksum
    ------------------------------------ --------------------------------
    mailx_8.1.1-10.1.5progeny1_i386.deb  fe12bbc355688e9eeff853cf13ed7f58

    Example:

        # wget http://archive.progeny.com/pub/progeny/updates/newton/mailx_8.1.1-10.1.5progeny1_i386.deb

 2. Use the md5sum command on the retrieved file to verify that it matches
    the md5sum provided in this advisory:

    Example:

        # md5sum mailx_8.1.1-10.1.5progeny1_i386.deb

 3. Then install the replacement package(s) using the dpkg command.

    Example:

        # dpkg --install mailx_8.1.1-10.1.5progeny1_i386.deb


MORE INFORMATION

There is no more information available at this time.

 ---------------------------------------------------------------------------

pub  1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>