nm4 2010/05/26 13:26:01 BST
Modified files:
exim-doc/doc-txt ChangeLog
exim-src/src/transports appendfile.c
Log:
Prevent hardlink attack on mbox sticky mail directory. fixes: bug #988
Revision Changes Path
1.608 +3 -0 exim/exim-doc/doc-txt/ChangeLog
1.25 +12 -0 exim/exim-src/src/transports/appendfile.c
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.607
retrieving revision 1.608
diff -u -r1.607 -r1.608
--- ChangeLog 23 Mar 2010 14:06:48 -0000 1.607
+++ ChangeLog 26 May 2010 12:26:00 -0000 1.608
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.607 2010/03/23 14:06:48 jetmore Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.608 2010/05/26 12:26:00 nm4 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -25,6 +25,9 @@
JJ/03 installed exipick 20100323.0, fixing doc bug
+NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail
+ directory. Notification and patch from Dan Rosenberg
+
Exim version 4.71
-----------------
Index: appendfile.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/transports/appendfile.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- appendfile.c 16 Nov 2009 19:50:39 -0000 1.24
+++ appendfile.c 26 May 2010 12:26:01 -0000 1.25
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/transports/appendfile.c,v 1.24 2009/11/16 19:50:39 nm4 Exp $ */
+/* $Cambridge: exim/exim-src/src/transports/appendfile.c,v 1.25 2010/05/26 12:26:01 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -1806,6 +1806,18 @@
goto RETURN;
}
+ /* Just in case this is a sticky-bit mail directory, we don't want
+ users to be able to create hard links to other users' files. */
+
+ if (statbuf.st_nlink != 1)
+ {
+ addr->basic_errno = ERRNO_NOTREGULAR;
+ addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
+ filename, islink? " (symlink)" : "", statbuf.st_nlink);
+ goto RETURN;
+
+ }
+
/* If symlinks are permitted (not recommended), the lstat() above will
have found the symlink. Its ownership has just been checked; go round
the loop again, using stat() instead of lstat(). That will never yield a