Debian Bug report logs -
#396104
CVE-2006-529[78]: tempfile race conditions in mutt
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Sun, 29 Oct 2006 20:33:02 UTC
Severity: grave
Tags: security
Found in versions 1.5.13-1, 1.5.9-2sarge2
Fixed in version mutt/1.5.13-1.1
Done: Christoph Berg <myon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>:
Bug#396104; Package mutt.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Adeodato Simó <dato@net.com.org.es>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: mutt
severity: important
tags: security
Some tempfile race condition vulnerabilities have been found in mutt:
CVE-2006-5297:
Race condition in the safe_open function in the Mutt mail client
1.5.12 and earlier, when creating temporary files in an NFS
filesystem, allows local users to overwrite arbitrary files due to
limitations of the use of the O_EXCL flag on NFS filesystems.
CVE-2006-5298:
The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and
earlier does not properly verify that temporary files have been
created with restricted permissions, which might allow local users to
create files with weak permissions via a race condition between the
mktemp and safe_fopen function calls.
See
http://marc.theaimsgroup.com/?l=mutt-dev&m=115999486426292&w=2
for details.
I am not quite sure about the implications, adjust the severity as you
see fit.
Please mention the CVE id in the changelog.
Severity set to `grave' from `important'
Request was from Christoph Berg <myon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>:
Bug#396104; Package mutt.
(full text, mbox, link).
Message #10 received at 396104@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Re: Stefan Fritsch 2006-10-29 <200610292118.51406.sf@sfritsch.de>
> Some tempfile race condition vulnerabilities have been found in mutt:
>
> CVE-2006-5297:
> Race condition in the safe_open function in the Mutt mail client
> 1.5.12 and earlier, when creating temporary files in an NFS
> filesystem, allows local users to overwrite arbitrary files due to
> limitations of the use of the O_EXCL flag on NFS filesystems.
>
> CVE-2006-5298:
> The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and
> earlier does not properly verify that temporary files have been
> created with restricted permissions, which might allow local users to
> create files with weak permissions via a race condition between the
> mktemp and safe_fopen function calls.
Hi,
here's the changelog for the NMU I'll upload in a minute. It'd be nice
to see this included in etch.
debdiff mutt_1.5.13-1.dsc /srv/pbuilder/result/mutt_1.5.13-1.1.dsc
mutt-1.5.13/debian/changelog | 8 ++
mutt-1.5.13/debian/patches/series | 1
debian/patches/misc/tempfile-race.diff | 100 +++++++++++++++++++++++++++++++++
3 files changed, 109 insertions(+)
diff -u mutt-1.5.13/debian/changelog mutt-1.5.13/debian/changelog
--- mutt-1.5.13/debian/changelog
+++ mutt-1.5.13/debian/changelog
@@ -1,3 +1,11 @@
+mutt (1.5.13-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add upstream patch to fix insecure temp file generation
+ (Closes: #396104, CVE-2006-5297, CVE-2006-5298).
+
+ -- Christoph Berg <myon@debian.org> Tue, 12 Dec 2006 14:49:24 +0100
+
mutt (1.5.13-1) unstable; urgency=low
* New upstream release, with a new pattern to match full threads (see
diff -u mutt-1.5.13/debian/patches/series mutt-1.5.13/debian/patches/series
--- mutt-1.5.13/debian/patches/series
+++ mutt-1.5.13/debian/patches/series
@@ -17,6 +17,7 @@
debian-specific/dont_document_not_present_features.diff -p0
misc/define-pgp_getkeys_command.diff -p0
+misc/tempfile-race.diff
misc/autotools-update.diff -p0
upstream/thread_pattern_in_UPDATING.diff -p0
only in patch4:
unchanged:
--- mutt-1.5.13.orig/debian/patches/misc/tempfile-race.diff
+++ mutt-1.5.13/debian/patches/misc/tempfile-race.diff
@@ -0,0 +1,100 @@
+From: roessler <roessler>
+Date: Mon, 9 Oct 2006 13:39:38 +0000 (+0000)
+Subject: From: Thomas Roessler <roessler@does-not-exist.org>
+X-Git-Url: http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commitdiff;h=f6404a53a2b7a9a3b36d89def185e1192abdd108
+
+ From: Thomas Roessler <roessler@does-not-exist.org>
+
+ Even more paranoid temporary file creation.
+---
+
+--- a/lib.c
++++ b/lib.c
+@@ -481,14 +481,85 @@ int safe_rename (const char *src, const
+ return 0;
+ }
+
++/* Create a temporary directory next to a file name */
++
++int mutt_mkwrapdir (const char *path, char *newfile, size_t nflen,
++ char *newdir, size_t ndlen)
++{
++ const char *basename;
++ char parent[_POSIX_PATH_MAX];
++ char *p;
++ int rv;
++
++ strfcpy (parent, NONULL (path), sizeof (parent));
++
++ if ((p = strrchr (parent, '/')))
++ {
++ *p = '\0';
++ basename = p + 1;
++ }
++ else
++ {
++ strfcpy (parent, ".", sizeof (parent));
++ basename = path;
++ }
++
++ do
++ {
++ snprintf (newdir, ndlen, "%s/%s", parent, ".muttXXXXXX");
++ mktemp (newdir);
++ }
++ while ((rv = mkdir (newdir, 0700)) == -1 && errno == EEXIST);
++
++ if (rv == -1)
++ return -1;
++
++ snprintf (newfile, nflen, "%s/%s", newdir, NONULL(basename));
++ return 0;
++}
++
++int mutt_put_file_in_place (const char *path, const char *safe_file, const char *safe_dir)
++{
++ int rv;
++
++ rv = safe_rename (safe_file, path);
++ unlink (safe_file);
++ rmdir (safe_dir);
++ return rv;
++}
++
+ int safe_open (const char *path, int flags)
+ {
+ struct stat osb, nsb;
+ int fd;
+
+- if ((fd = open (path, flags, 0600)) < 0)
+- return fd;
++ if (flags & O_EXCL)
++ {
++ char safe_file[_POSIX_PATH_MAX];
++ char safe_dir[_POSIX_PATH_MAX];
+
++ if (mutt_mkwrapdir (path, safe_file, sizeof (safe_file),
++ safe_dir, sizeof (safe_dir)) == -1)
++ return -1;
++
++ if ((fd = open (safe_file, flags, 0600)) < 0)
++ {
++ rmdir (safe_dir);
++ return fd;
++ }
++
++ if (mutt_put_file_in_place (path, safe_file, safe_dir) == -1)
++ {
++ close (fd);
++ return -1;
++ }
++ }
++ else
++ {
++ if ((fd = open (path, flags, 0600)) < 0)
++ return fd;
++ }
++
+ /* make sure the file is not symlink */
+ if (lstat (path, &osb) < 0 || fstat (fd, &nsb) < 0 ||
+ compare_stat(&osb, &nsb) == -1)
Christoph
--
cb@df7cb.de | http://www.df7cb.de/
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 1.5.13-1.
Request was from Christoph Berg <myon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Christoph Berg <myon@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 396104-close@bugs.debian.org (full text, mbox, reply):
Source: mutt
Source-Version: 1.5.13-1.1
We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive:
mutt_1.5.13-1.1.diff.gz
to pool/main/m/mutt/mutt_1.5.13-1.1.diff.gz
mutt_1.5.13-1.1.dsc
to pool/main/m/mutt/mutt_1.5.13-1.1.dsc
mutt_1.5.13-1.1_amd64.deb
to pool/main/m/mutt/mutt_1.5.13-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 396104@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <myon@debian.org> (supplier of updated mutt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 12 Dec 2006 14:49:24 +0100
Source: mutt
Binary: mutt
Architecture: source amd64
Version: 1.5.13-1.1
Distribution: unstable
Urgency: high
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Christoph Berg <myon@debian.org>
Description:
mutt - text-based mailreader supporting MIME, GPG, PGP and threading
Closes: 396104
Changes:
mutt (1.5.13-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add upstream patch to fix insecure temp file generation
(Closes: #396104, CVE-2006-5297, CVE-2006-5298).
Files:
7f736974fa210252e03bbcbf02ae6ddc 735 mail standard mutt_1.5.13-1.1.dsc
5778575f910b7a7a71b34af477b66036 136526 mail standard mutt_1.5.13-1.1.diff.gz
de01e8d7c9f2bbfc412711ebba92a2d2 1836796 mail standard mutt_1.5.13-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFfsRzxa93SlhRC1oRAglrAKC1EeYLA0XL3zkV4DxDjpIAiPC+nACdF3L/
yB0wRljvmAbp9TFM/iqoWok=
=y5Il
-----END PGP SIGNATURE-----
Bug marked as found in version 1.5.9-2sarge2.
Request was from Elizabeth Bevilacqua <lyz@princessleia.com>
to control@bugs.debian.org.
(Thu, 10 May 2007 18:24:19 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 10:28:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:42:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon