[packages/elm.git] / elm-security.patch

From owner-linux-security@tarsier.cv.nrao.edu Sat Sep  2 11:42:09 1995
Received: from tarsier.cv.nrao.edu (tarsier.cv.nrao.edu [192.33.115.50]) by redhat.com (8.6.11/8.6.9) with ESMTP id LAA10004 for <marc@redhat.com>; Sat, 2 Sep 1995 11:42:05 -0400
Received: (from majdom@localhost) by tarsier.cv.nrao.edu (8.6.12/8.6.9) id IAA06787; Sat, 2 Sep 1995 08:47:44 -0400
Received: from cortex.AMS.Med.Uni-Goettingen.DE (root@cortex.AMS.Med.Uni-Goettingen.DE [134.76.140.101]) by tarsier.cv.nrao.edu (8.6.12/8.6.9) with ESMTP id FAA06456; Sat, 2 Sep 1995 05:57:10 -0400
Received: by cortex.AMS.Med.Uni-Goettingen.DE (Smail3.1.29.1 #9)
	id m0sopJH-0005G8C; Sat, 2 Sep 95 11:56 MET DST
Date: Sat, 2 Sep 1995 11:56:22 +0200 (MET DST)
From: Lutz Pressler <Lutz.Pressler@Unix.AMS.Med.Uni-Goettingen.DE>
To: Olaf Kirch <okir@monad.swb.de>
cc: linux-security@tarsier.cv.nrao.edu, BUGTRAQ@CRIMELAB.COM
Subject: elm and /tmp/mbox.*: patch
Message-ID: <Pine.LNX.3.91lp.950902113951.11841A-100000@cortex.AMS.Med.Uni-Goettingen.DE>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-linux-security@tarsier.cv.nrao.edu
Precedence: list
Status: RO

-----BEGIN PGP SIGNED MESSAGE-----

Hello,

as Olaf Kirch <okir@monad.swb.de> found out, elm (at least 2.4, including
elm-2.4pl24me6) opens it's temporary mbox file in /tmp without checking
for existing symlinks. This can be exploited by a local user: for example
to create an .rhosts file for another account which has none yet - with
valid entries, thus getting access to that account.

The following patch (to be applied in the elm distribution directory)
disables this possibility by changing the temporary mailbox file location
to be .mbox.* in the users' home directory. This prohibits multiple elm
sessions on different hosts with shared home dir, but as in this case the
mail spool is probably shared, too, this should not be a problem.

It seems that the other files sometimes created by elm in /tmp are not
so problematic. I haven't checked this thoroughly yet though.

Regards,
  Lutz

Patch follows (remove PGPs "- " !):

--- elm2.5.3/hdrs/sysdefs.SH.security	Tue Feb 29 08:12:44 2000
+++ elm2.5.3/hdrs/sysdefs.SH	Tue Feb 29 08:17:14 2000
@@ -107,7 +107,7 @@
 #define	default_temp   	"$tmpdir/"
 #define temp_file	"snd."
 #define temp_form_file	"form."
-#define temp_mbox	"mbox."
+#define temp_mbox	".mbox."
 #define temp_print      "print."
 #define temp_edit	"elm-edit"
 #define temp_uuname	"uuname."
--- elm2.5.3/src/newmbox.c.security	Tue Feb 29 08:10:35 2000
+++ elm2.5.3/src/newmbox.c	Tue Feb 29 08:18:20 2000
@@ -244,7 +244,7 @@
 
 	char *cp;
 
-	sprintf(tempfn, "%s%s", default_temp, temp_mbox);
+	sprintf(tempfn, "%s/.elm/%s", user_home, temp_mbox);
         cp = basename(mbox);
 	if (strcmp(cp, "mbox") == 0 || strcmp(cp, "mailbox") == 0 ||
 		strcmp(cp, "inbox") == 0 || *cp == '.')

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMEgqGE8rRJEuvpUdAQGQKAP9H2UXf3CbyC5/fZifAV9OzKoR6eGEwloA
H/8+OJEfpwOacYCpcoi4Njkaj2bEzjlyRxzDnz0VBFPdurxvFsN2cM9qMAN2tvNZ
qnP73hXFkLsi/ga8mmuVYeYgzoZJZOzPKSgA7SvtV8aD8WR/IK9Ze56beei5BIEx
jlwv9TGpI7A=
=82WU
-----END PGP SIGNATURE-----


--
Lutz Pre"sler      <URL:http://www.AMS.Med.Uni-Goettingen.DE/~lpressl1/>
Systemverwaltung -- Abt. Medizinische Statistik, Universit"at G"ottingen
Humboldtallee 32, D-37073 G"ottingen, Tel.: +49(0551) 39-9774 FAX: -4995
<Lutz.Pressler@AMS.Med.Uni-Goettingen.DE> [PGP-key:WWW&Keyserver] IRC:lp
Commit	Line	Data
45a2ec40	1	From owner-linux-security@tarsier.cv.nrao.edu Sat Sep 2 11:42:09 1995
	2	Received: from tarsier.cv.nrao.edu (tarsier.cv.nrao.edu [192.33.115.50]) by redhat.com (8.6.11/8.6.9) with ESMTP id LAA10004 for <marc@redhat.com>; Sat, 2 Sep 1995 11:42:05 -0400
	3	Received: (from majdom@localhost) by tarsier.cv.nrao.edu (8.6.12/8.6.9) id IAA06787; Sat, 2 Sep 1995 08:47:44 -0400
	4	Received: from cortex.AMS.Med.Uni-Goettingen.DE (root@cortex.AMS.Med.Uni-Goettingen.DE [134.76.140.101]) by tarsier.cv.nrao.edu (8.6.12/8.6.9) with ESMTP id FAA06456; Sat, 2 Sep 1995 05:57:10 -0400
	5	Received: by cortex.AMS.Med.Uni-Goettingen.DE (Smail3.1.29.1 #9)
	6	id m0sopJH-0005G8C; Sat, 2 Sep 95 11:56 MET DST
	7	Date: Sat, 2 Sep 1995 11:56:22 +0200 (MET DST)
	8	From: Lutz Pressler <Lutz.Pressler@Unix.AMS.Med.Uni-Goettingen.DE>
	9	To: Olaf Kirch <okir@monad.swb.de>
	10	cc: linux-security@tarsier.cv.nrao.edu, BUGTRAQ@CRIMELAB.COM
	11	Subject: elm and /tmp/mbox.*: patch
	12	Message-ID: <Pine.LNX.3.91lp.950902113951.11841A-100000@cortex.AMS.Med.Uni-Goettingen.DE>
	13	MIME-Version: 1.0
	14	Content-Type: TEXT/PLAIN; charset=US-ASCII
	15	Sender: owner-linux-security@tarsier.cv.nrao.edu
	16	Precedence: list
	17	Status: RO
	18
	19	-----BEGIN PGP SIGNED MESSAGE-----
	20
	21	Hello,
	22
	23	as Olaf Kirch <okir@monad.swb.de> found out, elm (at least 2.4, including
	24	elm-2.4pl24me6) opens it's temporary mbox file in /tmp without checking
	25	for existing symlinks. This can be exploited by a local user: for example
	26	to create an .rhosts file for another account which has none yet - with
	27	valid entries, thus getting access to that account.
	28
	29	The following patch (to be applied in the elm distribution directory)
	30	disables this possibility by changing the temporary mailbox file location
	31	to be .mbox.* in the users' home directory. This prohibits multiple elm
	32	sessions on different hosts with shared home dir, but as in this case the
	33	mail spool is probably shared, too, this should not be a problem.
	34
	35	It seems that the other files sometimes created by elm in /tmp are not
	36	so problematic. I haven't checked this thoroughly yet though.
	37
	38	Regards,
	39	Lutz
	40
	41	Patch follows (remove PGPs "- " !):
	42
	43	--- elm2.5.3/hdrs/sysdefs.SH.security Tue Feb 29 08:12:44 2000
	44	+++ elm2.5.3/hdrs/sysdefs.SH Tue Feb 29 08:17:14 2000
	45	@@ -107,7 +107,7 @@
	46	#define default_temp "$tmpdir/"
	47	#define temp_file "snd."
	48	#define temp_form_file "form."
	49	-#define temp_mbox "mbox."
	50	+#define temp_mbox ".mbox."
	51	#define temp_print "print."
	52	#define temp_edit "elm-edit"
	53	#define temp_uuname "uuname."
	54	--- elm2.5.3/src/newmbox.c.security Tue Feb 29 08:10:35 2000
	55	+++ elm2.5.3/src/newmbox.c Tue Feb 29 08:18:20 2000
	56	@@ -244,7 +244,7 @@
	57
	58	char *cp;
	59
	60	- sprintf(tempfn, "%s%s", default_temp, temp_mbox);
	61	+ sprintf(tempfn, "%s/.elm/%s", user_home, temp_mbox);
	62	cp = basename(mbox);
	63	if (strcmp(cp, "mbox") == 0 \|\| strcmp(cp, "mailbox") == 0 \|\|
	64	strcmp(cp, "inbox") == 0 \|\| *cp == '.')
65
66	-----BEGIN PGP SIGNATURE-----
67	Version: 2.6.2i
68
69	iQCVAwUBMEgqGE8rRJEuvpUdAQGQKAP9H2UXf3CbyC5/fZifAV9OzKoR6eGEwloA
70	H/8+OJEfpwOacYCpcoi4Njkaj2bEzjlyRxzDnz0VBFPdurxvFsN2cM9qMAN2tvNZ
71	qnP73hXFkLsi/ga8mmuVYeYgzoZJZOzPKSgA7SvtV8aD8WR/IK9Ze56beei5BIEx
72	jlwv9TGpI7A=
73	=82WU
74	-----END PGP SIGNATURE-----
75
76
77	--
78	Lutz Pre"sler <URL:http://www.AMS.Med.Uni-Goettingen.DE/~lpressl1/>
79	Systemverwaltung -- Abt. Medizinische Statistik, Universit"at G"ottingen
80	Humboldtallee 32, D-37073 G"ottingen, Tel.: +49(0551) 39-9774 FAX: -4995
81	<Lutz.Pressler@AMS.Med.Uni-Goettingen.DE> [PGP-key:WWW&Keyserver] IRC:lp
82