mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862)

Debian Bug report logs - #944265
mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862)

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mailutils: local privilege escalation in maidag utility (fixed in 3.8)

Date: Thu, 07 Nov 2019 07:55:56 +0800

[Message part 1 (text/plain, inline)]

Source: mailutils
Severity: serious
Tags: security fixed-upstream

There is a local privilege escalation in the maidag utility:

https://savannah.gnu.org/forum/forum.php?forum_id=9586

   This version fixes important security flow. The maidag utility has
   been withdrawn and three new programs have been included to provide
   its functionality: local mail delivery agent mda, LMTP daemon lmtpd,
   and user mail delivery tool putmail. 

https://git.savannah.gnu.org/cgit/mailutils.git/plain/NEWS

   * The maidag utility is withdrawn

   The main purpose of this utility was to work as local mail delivery
   agent (MDA), a program responsible for final delivery of email messages
   to the recipient's mailbox.  As such it required suid privileges.

   In parallel with its main purpose, it also was able to work in two
   other modes: the 'url' mode, designed to deliver mails to arbitrary
   mailbox URLs, and 'lmtp' mode, in which it acted as local mail
   transport daemon.  Neither of these needed suid privileges.

   The unfortunate design decision to combine the three modes in a single
   versatile tool resulted in local privilege escalation threat in 'url'
   mode.

   To fix this, maidag has been replaced by three different utilities,
   each one with a precisely defined purpose and carefully designed
   privileges: mda, lmtpd, and putmail.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 944265@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Paul Wise <pabs@debian.org>, 944265@bugs.debian.org

Subject: Re: Bug#944265: mailutils: local privilege escalation in maidag utility (fixed in 3.8)

Date: Mon, 11 Nov 2019 21:32:06 +0100

Control: retitle -1 mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862)

Hi,

On Thu, Nov 07, 2019 at 07:55:56AM +0800, Paul Wise wrote:
> Source: mailutils
> Severity: serious
> Tags: security fixed-upstream
> 
> There is a local privilege escalation in the maidag utility:
> 
> https://savannah.gnu.org/forum/forum.php?forum_id=9586
> 
>    This version fixes important security flow. The maidag utility has
>    been withdrawn and three new programs have been included to provide
>    its functionality: local mail delivery agent mda, LMTP daemon lmtpd,
>    and user mail delivery tool putmail. 
> 
> https://git.savannah.gnu.org/cgit/mailutils.git/plain/NEWS
> 
>    * The maidag utility is withdrawn
> 
>    The main purpose of this utility was to work as local mail delivery
>    agent (MDA), a program responsible for final delivery of email messages
>    to the recipient's mailbox.  As such it required suid privileges.
> 
>    In parallel with its main purpose, it also was able to work in two
>    other modes: the 'url' mode, designed to deliver mails to arbitrary
>    mailbox URLs, and 'lmtp' mode, in which it acted as local mail
>    transport daemon.  Neither of these needed suid privileges.
> 
>    The unfortunate design decision to combine the three modes in a single
>    versatile tool resulted in local privilege escalation threat in 'url'
>    mode.
> 
>    To fix this, maidag has been replaced by three different utilities,
>    each one with a precisely defined purpose and carefully designed
>    privileges: mda, lmtpd, and putmail.

The issue has been assigned CVE-2019-18862.

Regards,
Salvatore

Send a report that this bug log contains spam.