]>
Commit | Line | Data |
---|---|---|
45a2ec40 | 1 | From owner-linux-security@tarsier.cv.nrao.edu Sat Sep 2 11:42:09 1995 |
2 | Received: from tarsier.cv.nrao.edu (tarsier.cv.nrao.edu [192.33.115.50]) by redhat.com (8.6.11/8.6.9) with ESMTP id LAA10004 for <marc@redhat.com>; Sat, 2 Sep 1995 11:42:05 -0400 | |
3 | Received: (from majdom@localhost) by tarsier.cv.nrao.edu (8.6.12/8.6.9) id IAA06787; Sat, 2 Sep 1995 08:47:44 -0400 | |
4 | Received: from cortex.AMS.Med.Uni-Goettingen.DE (root@cortex.AMS.Med.Uni-Goettingen.DE [134.76.140.101]) by tarsier.cv.nrao.edu (8.6.12/8.6.9) with ESMTP id FAA06456; Sat, 2 Sep 1995 05:57:10 -0400 | |
5 | Received: by cortex.AMS.Med.Uni-Goettingen.DE (Smail3.1.29.1 #9) | |
6 | id m0sopJH-0005G8C; Sat, 2 Sep 95 11:56 MET DST | |
7 | Date: Sat, 2 Sep 1995 11:56:22 +0200 (MET DST) | |
8 | From: Lutz Pressler <Lutz.Pressler@Unix.AMS.Med.Uni-Goettingen.DE> | |
9 | To: Olaf Kirch <okir@monad.swb.de> | |
10 | cc: linux-security@tarsier.cv.nrao.edu, BUGTRAQ@CRIMELAB.COM | |
11 | Subject: elm and /tmp/mbox.*: patch | |
12 | Message-ID: <Pine.LNX.3.91lp.950902113951.11841A-100000@cortex.AMS.Med.Uni-Goettingen.DE> | |
13 | MIME-Version: 1.0 | |
14 | Content-Type: TEXT/PLAIN; charset=US-ASCII | |
15 | Sender: owner-linux-security@tarsier.cv.nrao.edu | |
16 | Precedence: list | |
17 | Status: RO | |
18 | ||
19 | -----BEGIN PGP SIGNED MESSAGE----- | |
20 | ||
21 | Hello, | |
22 | ||
23 | as Olaf Kirch <okir@monad.swb.de> found out, elm (at least 2.4, including | |
24 | elm-2.4pl24me6) opens it's temporary mbox file in /tmp without checking | |
25 | for existing symlinks. This can be exploited by a local user: for example | |
26 | to create an .rhosts file for another account which has none yet - with | |
27 | valid entries, thus getting access to that account. | |
28 | ||
29 | The following patch (to be applied in the elm distribution directory) | |
30 | disables this possibility by changing the temporary mailbox file location | |
31 | to be .mbox.* in the users' home directory. This prohibits multiple elm | |
32 | sessions on different hosts with shared home dir, but as in this case the | |
33 | mail spool is probably shared, too, this should not be a problem. | |
34 | ||
35 | It seems that the other files sometimes created by elm in /tmp are not | |
36 | so problematic. I haven't checked this thoroughly yet though. | |
37 | ||
38 | Regards, | |
39 | Lutz | |
40 | ||
41 | Patch follows (remove PGPs "- " !): | |
42 | ||
43 | --- elm2.5.3/hdrs/sysdefs.SH.security Tue Feb 29 08:12:44 2000 | |
44 | +++ elm2.5.3/hdrs/sysdefs.SH Tue Feb 29 08:17:14 2000 | |
45 | @@ -107,7 +107,7 @@ | |
46 | #define default_temp "$tmpdir/" | |
47 | #define temp_file "snd." | |
48 | #define temp_form_file "form." | |
49 | -#define temp_mbox "mbox." | |
50 | +#define temp_mbox ".mbox." | |
51 | #define temp_print "print." | |
52 | #define temp_edit "elm-edit" | |
53 | #define temp_uuname "uuname." | |
54 | --- elm2.5.3/src/newmbox.c.security Tue Feb 29 08:10:35 2000 | |
55 | +++ elm2.5.3/src/newmbox.c Tue Feb 29 08:18:20 2000 | |
56 | @@ -244,7 +244,7 @@ | |
57 | ||
58 | char *cp; | |
59 | ||
60 | - sprintf(tempfn, "%s%s", default_temp, temp_mbox); | |
61 | + sprintf(tempfn, "%s/.elm/%s", user_home, temp_mbox); | |
62 | cp = basename(mbox); | |
63 | if (strcmp(cp, "mbox") == 0 || strcmp(cp, "mailbox") == 0 || | |
64 | strcmp(cp, "inbox") == 0 || *cp == '.') | |
65 | ||
66 | -----BEGIN PGP SIGNATURE----- | |
67 | Version: 2.6.2i | |
68 | ||
69 | iQCVAwUBMEgqGE8rRJEuvpUdAQGQKAP9H2UXf3CbyC5/fZifAV9OzKoR6eGEwloA | |
70 | H/8+OJEfpwOacYCpcoi4Njkaj2bEzjlyRxzDnz0VBFPdurxvFsN2cM9qMAN2tvNZ | |
71 | qnP73hXFkLsi/ga8mmuVYeYgzoZJZOzPKSgA7SvtV8aD8WR/IK9Ze56beei5BIEx | |
72 | jlwv9TGpI7A= | |
73 | =82WU | |
74 | -----END PGP SIGNATURE----- | |
75 | ||
76 | ||
77 | -- | |
78 | Lutz Pre"sler <URL:http://www.AMS.Med.Uni-Goettingen.DE/~lpressl1/> | |
79 | Systemverwaltung -- Abt. Medizinische Statistik, Universit"at G"ottingen | |
80 | Humboldtallee 32, D-37073 G"ottingen, Tel.: +49(0551) 39-9774 FAX: -4995 | |
81 | <Lutz.Pressler@AMS.Med.Uni-Goettingen.DE> [PGP-key:WWW&Keyserver] IRC:lp | |
82 |