Local security threat + patch to fix
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNU Mailman |
Fix Released
|
Critical
|
Barry Warsaw | ||
Bug Description
The wrapper program could possibly be used by local
users to gain access to the mailman group and thus
compromise sensative information accessable by group
mailman. The offending code was introduced I think
in 2.0 beta3 and is still there in current CVS.
The problem is in the fatal() function, it takes user
input and fprintf's it without formatting it first.
Because wrapper is sgid and with permission setup the
way they are (all regular can access /home/mailman/mail
and wrapper because the directories and the program are
are set mode 2755. Anyway, here's the problem:
[root@king mailman-2.0beta3]# l /home/mailman/
-rwxr-sr-x 1 root mailman 36562 Jul 27 23:46
/home/mailman/
[root@king mailman-2.0beta3]# /home/mailman/
Usage: /home/mailman/
[root@king mailman-2.0beta3]# /home/mailman/
Illegal command: dog[root@king mailman-2.0beta3]#
[root@king mailman-2.0beta3]# /home/mailman/
Illegal command: Illegal command: %s%sIýÿ¿
mailman-2.0beta3]#
[root@king mailman-2.0beta3]# /home/mailman/
Illegal command: %U[root@king mailman-2.0beta3]# /home/mailman/
%u
Illegal command: 3221223312[
/home/mailman/
Illegal command: 0xbffff790[
/home/mailman/
Illegal command: Illegal command: %s%sIýÿ¿
mailman-2.0beta3]#
[root@king mailman-2.0beta3]# /home/mailman/
Segmentation fault
I know it looks badly placed but the error message doesn't
insert a newline so it gets bunched up. Anyway the
problem is quite simple. Here is another way it could
done:
[root@king mailman-2.0beta3]# doexec /home/mailman/
Usage: (null) program [args...]
[root@king mailman-2.0beta3]# doexec /home/mailman/
Usage: Usage: %s program [args...]
program [args...]
[root@king mailman-2.0beta3]# doexec /home/mailman/
Usage: Usage: %s%s program [args...]
Xýÿ¿=@Tüÿ¿(üÿ¿>@ program [args...]
[root@king mailman-2.0beta3]# doexec /home/mailman/
Segmentation fault
Anyway here's the patch to fix the prob in common.c
plus I fixed calls to fatal() which lacked \n at the
which are necessary since fatal() doesn't add one
on its own.
diff -u -r ./cgi-wrapper.
--- ./cgi-wrapper.
+++ ./cgi-wrapper.c Fri Jul 28 00:17:42 2000
@@ -53,7 +53,7 @@
status = run_script(
- fatal(logident, status, "%s", strerror(errno));
+ fatal(logident, status, "%s\n", strerror(errno));
return status;
}
diff -u -r common.c.orig ./common.c
--- ./common.c.orig Mon May 22 14:59:31 2000
+++ ./common.c Thu Jul 27 23:58:12 2000
@@ -108,7 +108,7 @@
}
else
- fprintf(stderr, log_entry);
+ fprintf(stderr, "%s", log_entry);
#endif /* HELPFUL */
}
diff -u -r ./mail-
--- ./mail-
+++ ./mail-wrapper.c Fri Jul 28 00:16:34 2000
@@ -67,13 +67,13 @@
if (!check_
- "Illegal command: %s", argv[1]);
+ "Illegal command: %s\n", argv[1]);
/* If we got here, everything must be OK */
status = run_script(argv[1], argc, argv, env);
- fatal(logident, status, "%s", strerror(errno));
+ fatal(logident, status, "%s\n", strerror(errno));
return status;
}
The patch was made against latest CVS release, but like
I said it affected Beta3 and Beta4 as well. Maybe you
should supply patch to users of that or release new
Beta5 to fix it or something if people really care :)
Good luck,
Stan Bubrouski (<email address hidden>)
[http://
| Barry Warsaw (barry) wrote | #1 |
I have applied this patch to 2.0b5, although I added the \n's in fatal()
and removed them elsewhere. Thanks!
BTW, the SourceForge patch manager is better for posting the patch text.