Ubuntu
postfix package

Postfix local privilege escalation via hardlinked symlinks

Bug #258162 reported by Till Ulen
254
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
Fix Released
Undecided
LaMont Jones

Bug Description

Binary package hint: postfix

Wietse Venema posted an advisory about this to Bugtraq. Excerpt:

"Sebastian Krahmer of SuSE has found a privilege escalation problem.
On some systems an attacker can hardlink a root-owned symlink to
for example /var/mail, and cause Postfix to append mail to existing
files that are owned by root or non-root accounts."

http://www.securityfocus.com/archive/1/495474/30/0/threaded

No CVE number has been assigned to this problem yet, to the best of my knowledge.

CVE References

Revision history for this message
Scott Kitterman (kitterman) wrote :

Updates for all Ubuntu releases have been prepared and are going through the security update process.

Changed in postfix:
status: New → In Progress
Revision history for this message
LaMont Jones (lamont) wrote :

It's CVE-2008-2936, and fixed in:
2.2.10-1ubuntu0.2 (dapper)
2.3.8-2ubuntu0.1 (feisty)
2.4.5-3ubuntu1.1 (gutsy)
2.5.1-2ubuntu1 (hardy)
2.5.4-1 (intrepid)

None of these have hit the archive, see also https://bugs.edge.launchpad.net/ubuntu/+source/postfix/+bug/257893
I'd expect to see the -security stuff shortly.

CVE-2008-2937 was also assigned for the issue that was fixed in 2.5.3, which applies if you have a mode 1777 /var/mail.
That should not be confused with any sane configuration of mail.

lamont

Changed in postfix:
status: In Progress → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

Published: http://www.ubuntu.com/usn/usn-636-1

Changed in postfix:
assignee: nobody → lamont
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.