===================================================================== CERT-Renater Note d'Information No. 2006/VULN118 _____________________________________________________________________ DATE : 30/03/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : NetBSD 1.6 through NetBSD-current (source prior to March 03, 2006). ====================================================================== NetBSD Security Advisory 2006-007 ================================= Topic: mail(1) creates record file with insecure umask Version: NetBSD-current: source prior to March 03, 2006 NetBSD 3.0 affected NetBSD 2.1: affected NetBSD 2.0.*: affected NetBSD 2.0: affected NetBSD 1.6.*: affected NetBSD 1.6: affected Severity: Information disclosure Fixed: NetBSD-current: March 03, 2006 NetBSD-3-0 branch: March 17, 2006 (3.0.1 will include the fix) NetBSD-3 branch: March 17, 2006 NetBSD-2-1 branch: March 17, 2006 (2.1.1 will include the fix) NetBSD-2-0 branch: March 17, 2006 (2.0.4 will include the fix) NetBSD-2 branch: March 17, 2006 Abstract ======== If the "set record" setting is present in a users .mailrc, and they have the default umask set, the record file will be created with insecure permissions. Technical Details ================= When mail(1) creates the users record file it currently does so using the default umask of 0644. This may leave the record file of a users email readable by other users of the system. Solutions and Workarounds ========================= The default NetBSD running mail configuration is not vulnerable to this bug, since the "set record" setting is not present by default in .mailrc. The following instructions describe how to upgrade your mail binaries by updating your source tree and rebuilding and installing a new version of mail. * NetBSD-current: Systems running NetBSD-current dated from before 2006-03-02 should be upgraded to NetBSD-current dated 2006-03-03 or later. The following file needs to be updated from the netbsd-current CVS branch (aka HEAD): usr.bin/mail/send.c To update from CVS, re-build, and re-install mail: # cd src # cvs update -d -P usr.bin/mail/send.c # cd usr.bin/mail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2006-03-16 should be upgraded from NetBSD 3.* sources dated 2006-03-17 or later. The following file needs to be updated from the netbsd-3 or netbsd-3-0 CVS branch: usr.bin/mail/send.c To update from CVS, re-build, and re-install mail: # cd src # cvs update -d -P -r usr.bin/mail/send.c # cd usr.bin/mail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.*: Systems running NetBSD 2.* sources dated from before 2006-03-16 should be upgraded from NetBSD 2.* sources dated 2006-03-17 or later. The following file needs to be updated from the netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch: usr.bin/mail/send.c To update from CVS, re-build, and re-install mail: # cd src # cvs update -d -P -r usr.bin/mail/send.c # cd usr.bin/mail # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Johan Veenhuizen for reporting the bug to the NetBSD Security Officer. Christos Zoulas for implementing the fixes in -HEAD. Revision History ================ 2006-03-29 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2006-007.txt,v 1.6 2006/03/29 11:14:28 adrianp Exp $ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================