Debian Bug report logs -
#944265
mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jordi Mallach <jordi@debian.org>
:
Bug#944265
; Package src:mailutils
.
(Thu, 07 Nov 2019 00:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>
:
New Bug report received and forwarded. Copy sent to Jordi Mallach <jordi@debian.org>
.
(Thu, 07 Nov 2019 00:00:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: mailutils
Severity: serious
Tags: security fixed-upstream
There is a local privilege escalation in the maidag utility:
https://savannah.gnu.org/forum/forum.php?forum_id=9586
This version fixes important security flow. The maidag utility has
been withdrawn and three new programs have been included to provide
its functionality: local mail delivery agent mda, LMTP daemon lmtpd,
and user mail delivery tool putmail.
https://git.savannah.gnu.org/cgit/mailutils.git/plain/NEWS
* The maidag utility is withdrawn
The main purpose of this utility was to work as local mail delivery
agent (MDA), a program responsible for final delivery of email messages
to the recipient's mailbox. As such it required suid privileges.
In parallel with its main purpose, it also was able to work in two
other modes: the 'url' mode, designed to deliver mails to arbitrary
mailbox URLs, and 'lmtp' mode, in which it acted as local mail
transport daemon. Neither of these needed suid privileges.
The unfortunate design decision to combine the three modes in a single
versatile tool resulted in local privilege escalation threat in 'url'
mode.
To fix this, maidag has been replaced by three different utilities,
each one with a precisely defined purpose and carefully designed
privileges: mda, lmtpd, and putmail.
--
bye,
pabs
https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Jordi Mallach <jordi@debian.org>
:
Bug#944265
; Package src:mailutils
.
(Mon, 11 Nov 2019 20:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Jordi Mallach <jordi@debian.org>
.
(Mon, 11 Nov 2019 20:36:03 GMT) (full text, mbox, link).
Message #10 received at 944265@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862)
Hi,
On Thu, Nov 07, 2019 at 07:55:56AM +0800, Paul Wise wrote:
> Source: mailutils
> Severity: serious
> Tags: security fixed-upstream
>
> There is a local privilege escalation in the maidag utility:
>
> https://savannah.gnu.org/forum/forum.php?forum_id=9586
>
> This version fixes important security flow. The maidag utility has
> been withdrawn and three new programs have been included to provide
> its functionality: local mail delivery agent mda, LMTP daemon lmtpd,
> and user mail delivery tool putmail.
>
> https://git.savannah.gnu.org/cgit/mailutils.git/plain/NEWS
>
> * The maidag utility is withdrawn
>
> The main purpose of this utility was to work as local mail delivery
> agent (MDA), a program responsible for final delivery of email messages
> to the recipient's mailbox. As such it required suid privileges.
>
> In parallel with its main purpose, it also was able to work in two
> other modes: the 'url' mode, designed to deliver mails to arbitrary
> mailbox URLs, and 'lmtp' mode, in which it acted as local mail
> transport daemon. Neither of these needed suid privileges.
>
> The unfortunate design decision to combine the three modes in a single
> versatile tool resulted in local privilege escalation threat in 'url'
> mode.
>
> To fix this, maidag has been replaced by three different utilities,
> each one with a precisely defined purpose and carefully designed
> privileges: mda, lmtpd, and putmail.
The issue has been assigned CVE-2019-18862.
Regards,
Salvatore
Changed Bug title to 'mailutils: local privilege escalation in maidag utility (fixed in 3.8) (CVE-2019-18862)' from 'mailutils: local privilege escalation in maidag utility (fixed in 3.8)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 944265-submit@bugs.debian.org
.
(Mon, 11 Nov 2019 20:36:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Nov 12 08:34:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.