Comment 5 for bug 531569

Dan Rosenberg (dan-j-rosenberg) wrote :

I've attached my patch for the issue. I removed the calls to access(), and instead called setegid() to drop group permissions before opening both the input and output files. I re-raised the egid after this, because movemail needs egid mail to create a lockfile in the mail directory if it's not world-writeable. Movemail already dropped the euid with setuid() prior to opening the files, so I didn't have to deal with that. I inserted checks on the return values of all the setuid() functions, just to be safe.

I've confirmed that this resolves the vulnerability and does not break functionality.