------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=988
Summary: CVE-2010-2023 - vulnerability with world-writable sticky
mbox mail directory
Product: Exim
Version: 4.71
Platform: All
OS/Version: All
Status: NEW
Severity: security
Priority: high
Component: Delivery in general
AssignedTo: nigel@???
ReportedBy: nigel@???
CC: exim-dev@???, dan.j.rosenberg@???
[Copied from original notification email and followups]
When Exim is used with a world-writable mail directory with the
sticky-bit set, local users may create hard links to other non-root
users' files at the expected location of those users' mailboxes,
causing their files to be written to upon mail delivery. This could
be used to create denial-of-service conditions or potentially escalate
privileges to those of targeted users. This issue has been assigned
CVE-2010-2023.
[...]
Let me know if you have any questions about these issues, or have any
problems with the patch. Even though neither of these two
vulnerabilities affects many downstream distributions by default
(since sticky-bit mail directories are becoming more rare and MBX
locking isn't used by many distributions), I'd like to publish an
advisory for these issues independently once you have released a fix.
I'd appreciate it if you kept me posted on any progress in regards to
these issues.
[Followup message]
For the first issue, it's not a matter of reading a user's mail, but
causing mail deliveries to that user to overwrite other files owned by
that user. For example, if we use your example of victim "foo" and
attacker "bar", where "foo" has no mailbox, "bar" can create a
hardlink to another one of foo's files, such as /home/foo/.bashrc.
Subsequent mail delivery will append to this file, allowing an
attacker to append information to other users' files.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
