[1152] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Fix available for elm 2.4 filter security hole

daemon@ATHENA.MIT.EDU (Chris Adams)
Thu Sep 12 20:17:36 1996

From: Chris Adams <cadams@sh1.ro.com>
To: jna@retina.net (jna)
Date: Wed, 11 Sep 1996 23:35:35 -0500 (CDT)
Cc: linux-security-digest@tarsier.cv.nrao.edu
In-Reply-To: <199609092053.BAA15762@focus.retina.net> from "jna" at Sep 10, 96 01:53:02 am
Reply-To: C.Adams@Yellow-Jackets.com

Once upon a time, jna wrote
> I don't know if a patch has been made available for 
> the security hole in ELM's filter (version 2.4PL25), 
> but as of patch level 25, the bug still exists. 
> 
> Users can read the electronic mail of any user they choose  with a simple
> exploit script (which has been published on the list before, so I won't
> rehash it here again) 
> 
> Basically, I've written a simple, blanket (bleh!) fix for filter that
> prevents filter from opening any symbolic links while it's running. 
> 
> If you know of a patch for filter that has fixed this already, let me know,
> otherwise, if you need a copy of this patch, send me mail. :) 

Well, I tried the copy of the script that worked under Slackware 3.0,
and it does not appear to work under RedHat 3.0.3.  I looked at the
source rpm, and it has the included patch.
-- 
Chris Adams - cadams@ro.com - System Admin - Renaissance Internet Services
"So, if anybody wants to have hardware sent to them: don't call me, but
instead write your own unix operating system.  It has worked every time
for me." - Linus Torvalds, author of Linux (Unix-like) OS


--- elm-2.4.24c/filter/actions.c.marc	Tue Aug  3 15:28:40 1993
+++ elm-2.4.24c/filter/actions.c	Thu Jan 25 11:44:15 1996
@@ -96,11 +96,17 @@
        * else, that we'll try to do nice things with it on the fly...
        */
 
+        uid_t euid;
+        gid_t egid;
+   
 	FILE *pipefd, *tempfd, *mailfd;
 	int  in_header = TRUE, line_count = 0, mailunit, pid, statusp;
 	char tempfile[SLEN], mailbox[SLEN],
 	     buffer[VERY_LONG_STRING], *cp;
 
+        euid = geteuid();
+        egid = getegid();
+   
 	if (verbose && ! log_actions_only && outfd != NULL)
 	  fprintf(outfd, catgets(elm_msg_cat,FilterSet,FilterMailingMessage,
 				 "filter (%s): Mailing message to %s\n"), 
@@ -109,6 +115,9 @@
 	if (! show_only) {
 	  sprintf(tempfile, "%s.%d", filter_temp, getpid());
 
+	  setuid(user_uid);
+	  setgid(user_gid);
+	   
 	  if ((tempfd = fopen(tempfile, "r")) == NULL) {
 	    if (outfd != NULL)
 	      fprintf(outfd, catgets(elm_msg_cat,FilterSet,
@@ -118,6 +127,9 @@
 	    if (outfd != NULL) fclose(outfd);
 	    exit(1);
 	  }
+	   
+	  setuid(euid);
+	  setgid(egid);
 	 	
 	  if (strcmp(address, username) != 0) {	/* mailing to someone else */
 	    
@@ -351,6 +363,12 @@
       char  filename[SLEN], buffer[SLEN];
       int   fdunit;
       
+      uid_t euid;
+      gid_t egid;
+
+      setuid(user_uid);
+      setgid(user_gid);
+
       sprintf(filename, "%s.%d", filter_temp, filter_pid);
       
       if ((fdunit = open(foldername,
@@ -365,14 +383,21 @@
       }
       fd = fdopen(fdunit,"a");
       
+      setuid(user_uid);
+      setgid(user_gid);
+      
       if ((tempfd = fopen(filename, "r")) == NULL) {
 	    if (outfd != NULL)
 		 fprintf(outfd,catgets(elm_msg_cat,FilterSet,
 				       FilterCantOpenTempFile3, 
 		       "filter (%s): can't open temp file %s for reading!\n"),
 			 date_n_user(),filename);
+	    setuid(euid);
+	    setgid(egid);
 	    return(1);
       }
+      setuid(euid);
+      setgid(egid);
       
       while (fgets(buffer, sizeof(buffer), tempfd) != NULL)
 	   fputs(buffer, fd);

home help back first fref pref prev next nref lref last post