CVE-2009-1631: world-readable permissions for the .evolution directory

Debian Bug report logs - #526409
CVE-2009-1631: world-readable permissions for the .evolution directory

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tim Connors <tconnors@rather.puzzling.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: evolution: permissions on mailbox folders are set wrong

Date: Fri, 01 May 2009 11:25:24 +1000

Package: evolution
Version: 2.24.5-3
Severity: grave
Tags: security
Justification: user security hole

tconnors@denman:~$ l /home/maree/.evolution/mail/local/Sent
-rw-r--r-- 1 maree maree 118474734 2009-05-01 08:16 /home/maree/.evolution/mail/local/Sent

Hmmm.  Would it be a good idea to set ~/.evolution to 700 perhaps?  Or
just adopt a restrictive umask for the whole of evolution (mail being
a rather more sensitive application than most)?

Many site policies are for home directories to be world or group
readable, and trusting users not to be stupid with their permissions.
Unfortunately this breaks down when the applications themselves are
stupid.

This affects upstream as well, as verified by several installations of
deadrat and the like installed over many years at work.


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (710, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages evolution depends on:
ii  dbus             1.2.12-1                simple interprocess messaging syst
ii  debconf [debconf 1.5.26                  Debian configuration management sy
ii  evolution-common 2.24.5-3                architecture independent files for
ii  evolution-data-s 2.24.5-4+b1             evolution database backend server
ii  gconf2           2.24.0-7                GNOME configuration database syste
ii  gnome-icon-theme 2.24.0-4                GNOME Desktop icon theme
ii  libart-2.0-2     2.3.20-2                Library of functions for 2D graphi
ii  libatk1.0-0      1.24.0-2                The ATK accessibility toolkit
ii  libbluetooth4    3.36-1                  Library to use the BlueZ Linux Blu
ii  libbonobo2-0     2.24.1-1                Bonobo CORBA interfaces library
ii  libbonoboui2-0   2.24.1-1                The Bonobo UI library
ii  libc6            2.9-6                   GNU C Library: Shared libraries
ii  libcairo2        1.8.6-2+b1              The Cairo 2D vector graphics libra
ii  libcamel1.2-14   2.24.5-4+b1             The Evolution MIME message handlin
ii  libdbus-1-3      1.2.12-1                simple interprocess messaging syst
ii  libdbus-glib-1-2 0.80-3                  simple interprocess messaging syst
ii  libebackend1.2-0 2.24.5-4+b1             Utility library for evolution data
ii  libebook1.2-9    2.24.5-4+b1             Client library for evolution addre
ii  libecal1.2-7     2.24.5-4+b1             Client library for evolution calen
ii  libedataserver1. 2.24.5-4+b1             Utility library for evolution data
ii  libedataserverui 2.24.5-4+b1             GUI utility library for evolution 
ii  libegroupwise1.2 2.24.5-4+b1             Client library for accessing group
ii  libenchant1c2a   1.4.2-3.3               a wrapper library for various spel
ii  libexchange-stor 2.24.5-4+b1             Client library for accessing Excha
ii  libfontconfig1   2.6.0-3                 generic font configuration library
ii  libfreetype6     2.3.9-4                 FreeType 2 font engine, shared lib
ii  libgconf2-4      2.24.0-7                GNOME configuration database syste
ii  libgdata-google1 2.24.5-4+b1             Client library for accessing Googl
ii  libgdata1.2-1    2.24.5-4+b1             Client library for accessing Googl
ii  libglade2-0      1:2.6.3-1               library to load .glade files at ru
ii  libglib2.0-0     2.20.0-2                The GLib library of C routines
ii  libgnome-pilot2  2.0.15-2.4              Support libraries for gnome-pilot
ii  libgnome2-0      2.24.1-2                The GNOME 2 library - runtime file
ii  libgnomecanvas2- 2.20.1.1-1              A powerful object-oriented display
ii  libgnomeui-0     2.24.1-1                The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0   1:2.24.1-1              GNOME Virtual File System (runtime
ii  libgtk2.0-0      2.14.7-5                The GTK+ graphical user interface 
ii  libgtkhtml-edito 3.24.5-2                HTML rendering/editing library - e
ii  libgtkhtml3.14-1 3.24.5-2                HTML rendering/editing library - r
ii  libhal1          0.5.11-8                Hardware Abstraction Layer - share
ii  libice6          2:1.0.5-1               X11 Inter-Client Exchange library
ii  libldap-2.4-2    2.4.15-1                OpenLDAP libraries
ii  libnm-glib0      0.7.0.100-1             network management framework (GLib
ii  libnotify1 [libn 0.4.5-1                 sends desktop notifications to a n
ii  libnspr4-0d      4.7.1-4                 NetScape Portable Runtime Library
ii  libnss3-1d       3.12.2.with.ckbi.1.73-1 Network Security Service libraries
ii  liborbit2        1:2.14.17-0.1           libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0    1.24.0-3                Layout and rendering of internatio
ii  libpisock9       0.12.3-10               library for communicating with a P
ii  libpisync1       0.12.3-10               synchronization library for PalmOS
ii  libpopt0         1.14-4                  lib for parsing cmdline parameters
ii  libsm6           2:1.1.0-2               X11 Session Management library
ii  libsoup2.4-1     2.24.3-2                an HTTP library implementation in 
ii  libsqlite3-0     3.6.12-1                SQLite 3 shared library
ii  libusb-0.1-4     2:0.1.12-13             userspace USB programming library
ii  libx11-6         2:1.2-1                 X11 client-side library
ii  libxml2          2.7.3.dfsg-1            GNOME XML library
ii  zlib1g           1:1.2.3.3.dfsg-13       compression library - runtime

Versions of packages evolution recommends:
ii  evolution-plugins           2.24.5-3     standard plugins for Evolution
ii  evolution-webcal            2.21.92-1+b1 webcal: URL handler for GNOME and 
ii  gnome-desktop-data          2.22.3-2     Common files for GNOME 2 desktop a
pn  gnome-pilot-conduits        <none>       (no description available)
ii  spamassassin                3.2.5-4      Perl-based spam filter using text 
ii  yelp                        2.24.0-2     Help browser for GNOME 2

Versions of packages evolution suggests:
pn  bug-buddy                     <none>     (no description available)
pn  evolution-dbg                 <none>     (no description available)
ii  evolution-exchange            2.24.5-1   Exchange plugin for the Evolution 
pn  evolution-plugins-experimenta <none>     (no description available)
ii  gnome-spell                   1.0.7-1    GNOME/Bonobo component for spell c
ii  gnupg                         1.4.9-4    GNU privacy guard - a free PGP rep
pn  network-manager               <none>     (no description available)

-- debconf information:
  evolution/needs_shutdown:

Message #10 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Tim Connors <tconnors@rather.puzzling.org>, 526409@bugs.debian.org

Subject: Re: [Evolution] Bug#526409: evolution: permissions on mailbox folders are set wrong

Date: Mon, 04 May 2009 08:14:22 +0200

[Message part 1 (text/plain, inline)]

On ven, 2009-05-01 at 11:25 +1000, Tim Connors wrote:
> Package: evolution
> Version: 2.24.5-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> tconnors@denman:~$ l /home/maree/.evolution/mail/local/Sent
> -rw-r--r-- 1 maree maree 118474734 2009-05-01 08:16 /home/maree/.evolution/mail/local/Sent
> 
> Hmmm.  Would it be a good idea to set ~/.evolution to 700 perhaps?  Or
> just adopt a restrictive umask for the whole of evolution (mail being
> a rather more sensitive application than most)?
> 
> Many site policies are for home directories to be world or group
> readable, and trusting users not to be stupid with their permissions.
> Unfortunately this breaks down when the applications themselves are
> stupid.
> 
> This affects upstream as well, as verified by several installations of
> deadrat and the like installed over many years at work.

Are you saying that if you change .evolution permissions to 700, they
are set back to 744 after evolution run? Because they aren't here.

If you say that evolution should create folder/files with more
restrictive defaults, I disagree. evolution should just use what the
current umask is. If you want it to another value, just set it in you
environment before running evolution (isn't that the purpose of umask
anyway?). Multi-user systems running evolution aren't that frequent, I
guess (multi-user systems aren't that frequent anyway, these days) and
you can adjust the permissions for your ~ and .evolution in a lot of
different ways. No need to add complexity to that huge stack of code.

Cheers,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Tim Connors <tim.w.connors@gmail.com>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 526409@bugs.debian.org

Subject: Re: [Evolution] Bug#526409: evolution: permissions on mailbox folders are set wrong

Date: Mon, 4 May 2009 17:35:27 +1000 (EST)

On Mon, 4 May 2009, Yves-Alexis Perez wrote:

> On ven, 2009-05-01 at 11:25 +1000, Tim Connors wrote:
> > Package: evolution
> > Version: 2.24.5-3
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > tconnors@denman:~$ l /home/maree/.evolution/mail/local/Sent
> > -rw-r--r-- 1 maree maree 118474734 2009-05-01 08:16 /home/maree/.evolution/mail/local/Sent
> >
> > Hmmm.  Would it be a good idea to set ~/.evolution to 700 perhaps?  Or
> > just adopt a restrictive umask for the whole of evolution (mail being
> > a rather more sensitive application than most)?
> >
> > Many site policies are for home directories to be world or group
> > readable, and trusting users not to be stupid with their permissions.
> > Unfortunately this breaks down when the applications themselves are
> > stupid.
> >
> > This affects upstream as well, as verified by several installations of
> > deadrat and the like installed over many years at work.
>
> Are you saying that if you change .evolution permissions to 700, they
> are set back to 744 after evolution run? Because they aren't here.
>
> If you say that evolution should create folder/files with more
> restrictive defaults, I disagree.

Yes, I'm saying they should be created with more restrictive defaults.

> evolution should just use what the
> current umask is. If you want it to another value, just set it in you
> environment before running evolution (isn't that the purpose of umask
> anyway?). Multi-user systems running evolution aren't that frequent, I
> guess (multi-user systems aren't that frequent anyway, these days) and
> you can adjust the permissions for your ~ and .evolution in a lot of
> different ways. No need to add complexity to that huge stack of code.

Family machines?  (eg, the machine I found this bug on.  I myself wouldn't
use evolution or indeed desktop environments if I was forced at gunpoint,
but that's what mum uses.  In desktop environments, good luck setting a
sensible umask.)

What kind of complexity is

int main(...) {
   umask(0700);
   ...
}
?

Since mail (and web browser profiles - I believe firefox does this, and
opera certainly does) is about the only thing of this kind of sensitivity,
it should explicitly set mail permissions.

More sensible MTAs like alpine and mutt do this (indeed, alpine warns you
if you have silly permissions).

-- 
TimC
Dijkstra probably hates me
(Linus Torvalds, on gotos in kernel/sched.c)

Message #20 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Tim Connors <tim.w.connors@gmail.com>

Cc: 526409@bugs.debian.org

Subject: Re: [Evolution] Bug#526409: evolution: permissions on mailbox folders are set wrong

Date: Mon, 04 May 2009 17:17:26 +0200

[Message part 1 (text/plain, inline)]

On lun, 2009-05-04 at 17:35 +1000, Tim Connors wrote:
> Yes, I'm saying they should be created with more restrictive defaults.
> 
> > evolution should just use what the
> > current umask is. If you want it to another value, just set it in you
> > environment before running evolution (isn't that the purpose of umask
> > anyway?). Multi-user systems running evolution aren't that frequent, I
> > guess (multi-user systems aren't that frequent anyway, these days) and
> > you can adjust the permissions for your ~ and .evolution in a lot of
> > different ways. No need to add complexity to that huge stack of code.
> 
> Family machines?  (eg, the machine I found this bug on.  I myself wouldn't
> use evolution or indeed desktop environments if I was forced at gunpoint,
> but that's what mum uses.

I didn't say there were no multi-user machines. I was just saying that
they weren't the most common environment.

>  In desktop environments, good luck setting a
> sensible umask.)

Just set it in .xsessionrc.
> 
> What kind of complexity is
> 
> int main(...) {
>    umask(0700);
>    ...
> }

And then you can't chose anything else if you want to, which makes me a
little uncomfortable.

Cheers,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, 526409@bugs.debian.org

Cc: Tim Connors <tim.w.connors@gmail.com>

Subject: Re: Bug#526409: [Evolution] Bug#526409: evolution: permissions on mailbox folders are set wrong

Date: Mon, 4 May 2009 21:32:18 +0200

On Mon, May  4, 2009 at 17:17:26 +0200, Yves-Alexis Perez wrote:

> > What kind of complexity is
> > 
> > int main(...) {
> >    umask(0700);
> >    ...
> > }
> 
> And then you can't chose anything else if you want to, which makes me a
> little uncomfortable.
> 
That actually seems quite sensible.  This being email we're talking
about.  It's either this, or audit every place evolution creates a
potentially sensitive file to pass 0600 to open().

Cheers,
Julien

Message #30 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Tim Connors <tconnors@rather.puzzling.org>, 526409@bugs.debian.org

Subject: Re: [Evolution] Bug#526409: evolution: permissions on mailbox folders are set wrong

Date: Mon, 04 May 2009 21:54:48 +0200

[Message part 1 (text/plain, inline)]

On ven, 2009-05-01 at 11:25 +1000, Tim Connors wrote:
> tconnors@denman:~$ l /home/maree/.evolution/mail/local/Sent
> -rw-r--r-- 1 maree maree 118474734 2009-05-01
> 08:16 /home/maree/.evolution/mail/local/Sent

By the way, it seems that “only” local mails are stored in a 755 folder.
At least pop and imap folders are 700:

corsac@hidalgo: ls .evolution/mail
total 60K
drwxr-xr-x 2 corsac corsac  20K mai  4 21:43 config
drwx------ 9 corsac corsac 4,0K fév  2 09:08 imap
drwxr-xr-x 3 corsac corsac 4,0K mai  4 21:42 local
drwxr-xr-x 2 corsac corsac 4,0K mai  3 23:46 vfolder
drwxr-xr-x 2 corsac corsac  20K mai  4 11:19 views
-rw------- 1 corsac corsac   68 mai  4 18:10 searches.xml
-rw------- 1 corsac corsac   68 mai  3 23:44 vfolders.xml

Cheers,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 526409@bugs.debian.org

Subject: CVE-2009-1631: world-readable permissions for the .evolution directory

Date: Tue, 04 Aug 2009 17:31:25 +0200

[Message part 1 (text/plain, inline)]

Hi,

this issue got a CVE (Common Vulnerabilities & Exposures).

CVE-2009-1631[0]:
| The Mailer component in Evolution 2.26.1 and earlier uses
| world-readable permissions for the .evolution directory, and certain
| directories and files under .evolution/ related to local mail, which
| allows local users to obtain sensitive information by reading these
| files.


Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1631
    http://security-tracker.debian.net/tracker/CVE-2009-1631
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Message #44 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Giuseppe Iuculano <giuseppe@iuculano.it>, 526409@bugs.debian.org

Subject: Re: [Evolution] Bug#526409: CVE-2009-1631: world-readable permissions for the .evolution directory

Date: Tue, 04 Aug 2009 18:10:17 +0200

On mar, 2009-08-04 at 17:31 +0200, Giuseppe Iuculano wrote:
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable and oldstable. It
> does not warrant a DSA.
> 
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.

Hmhm, not sure how large and applicable the patch against 2.22.3.1
(lenny) is.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

Fix is already in for unstable. testing will have it as soon as it's
built on mipsel.

Cheers,
-- 
Yves-Alexis

Message #49 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 526409@bugs.debian.org

Subject: Re: [Evolution] Bug#526409: CVE-2009-1631: world-readable permissions for the .evolution directory

Date: Tue, 04 Aug 2009 18:31:14 +0200

[Message part 1 (text/plain, inline)]

Yves-Alexis Perez ha scritto:
> Fix is already in for unstable. testing will have it as soon as it's
> built on mipsel.

Well, Could you say me in which version was fixed?

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Message #54 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Giuseppe Iuculano <giuseppe@iuculano.it>

Cc: 526409@bugs.debian.org

Subject: Re: [Evolution] Bug#526409: CVE-2009-1631: world-readable permissions for the .evolution directory

Date: Tue, 04 Aug 2009 19:11:07 +0200

[Message part 1 (text/plain, inline)]

On mar, 2009-08-04 at 18:31 +0200, Giuseppe Iuculano wrote:
> Yves-Alexis Perez ha scritto:
> > Fix is already in for unstable. testing will have it as soon as it's
> > built on mipsel.
> 
> Well, Could you say me in which version was fixed? 

In fact I'm not that sure. The previous mail said the versions prior to
2.26.1 were affected so I supposed it was fixed in 2.26.2, but in fact
it's not said in the upstream bug report so it might be a too strong
assumption, sorry.

-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #63 received at 526409@bugs.debian.org (full text, mbox, reply):

From: Noèl Köthe <noel@debian.org>

To: 526409@bugs.debian.org

Subject: #526409 CVE-2009-1631: world-readable permissions for the .evolution directory

Date: Sun, 11 Apr 2010 11:57:44 +0200

[Message part 1 (text/plain, inline)]

Hello,

upstream bugzilla says that the fix will be/is included in 2.30:

https://bugzilla.gnome.org/show_bug.cgi?id=581604#c10

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #68 received at 526409-done@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 526409-done@bugs.debian.org

Subject: forgot to close that bug

Date: Sat, 29 May 2010 13:05:40 +0200

[Message part 1 (text/plain, inline)]

Version: 2.29.90-1
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.