===================================================================== CERT-Renater Note d'Information No. 2001/VULN123 _____________________________________________________________________ DATE : 10/04/2001 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Debian Progeny et GNU/Linux ====================================================================== --------------------------------------------------------------------------- PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-03 --------------------------------------------------------------------------- Topic: mailx buffer overflow Category: mail Module: mailx Announced: 2001-04-09 Credits: Debian Security Team Affects: Progeny Debian (mailx prior to 8.1.1-10.1.5progeny1) Debian GNU/Linux (mailx prior to 8.1.1-10.1.5) Vendor-Status: New Version Released (mailx_8.1.1-10.1.5progeny1) Corrected: 2001-04-09 Progeny Only: NO $Id: PROGENY-SA-2001-03,v 1.5 2001/04/09 08:39:58 csg Exp $ --------------------------------------------------------------------------- SYNOPSIS A buffer overflow in mailx allows a local user to gain access to the mail group. PROBLEM DESCRIPTION Mailx is a simple program to read and send e-mail. Mailx is installed setgid mail on Progeny and Debian systems. A buffer overflow in mailx allows for a local user to gain access to the mail group, which would allow that user to read and write to other mail spools. Debian resolved this problem by no longer shipping mailx setgid mail. Progeny has decided to use Debian's fix. This means that on mail systems that do not have world writable mail spools one will not be able to properly lock one's mailbox. IMPACT Local users can compromise the privileges of the mail group. SOLUTION Upgrade to a fixed version of mailx. You may use Progeny's mailx package, version mailx_8.1.1-10.1.5progeny1, for convenience. WORKAROUND 1. If you do not have the suidmanager package (which supplies the suidregister command) installed you can retrieve it by running the following command. If you already have this package skip to the second step of the workaround. apt-get update && apt-get install suidmanager 2. Now you can manually apply this fix by running the following as root: suidregister /usr/bin/mail root root 0755 UPDATING VIA APT-GET 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's security update repository: deb http://archive.progeny.com/progeny updates/newton/ 2. Update your cache of available packages for apt(8). Example: # apt-get update 3. Using apt(8), install the new kernel package. apt(8) will download the update, verify it's integrity with md5, and then install the package on your system with dpkg(8). Example: # apt-get install mailx UPDATING VIA DPKG 1. Using your preferred FTP/HTTP client to retrieve the following updated files from Progeny's update archive at: http://archive.progeny.com/pub/progeny/updates/newton/ Filename MD5 Checksum ------------------------------------ -------------------------------- mailx_8.1.1-10.1.5progeny1_i386.deb fe12bbc355688e9eeff853cf13ed7f58 Example: # wget http://archive.progeny.com/pub/progeny/updates/newton/mailx_8.1.1-10.1.5progeny1_i386.deb 2. Use the md5sum command on the retrieved file to verify that it matches the md5sum provided in this advisory: Example: # md5sum mailx_8.1.1-10.1.5progeny1_i386.deb 3. Then install the replacement package(s) using the dpkg command. Example: # dpkg --install mailx_8.1.1-10.1.5progeny1_i386.deb MORE INFORMATION There is no more information available at this time. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================