[1152] in linux-security and linux-alert archive
Re: [linux-security] Fix available for elm 2.4 filter security hole
daemon@ATHENA.MIT.EDU (Chris Adams)
Thu Sep 12 20:17:36 1996
From: Chris Adams <cadams@sh1.ro.com>
To: jna@retina.net (jna)
Date: Wed, 11 Sep 1996 23:35:35 -0500 (CDT)
Cc: linux-security-digest@tarsier.cv.nrao.edu
In-Reply-To: <199609092053.BAA15762@focus.retina.net> from "jna" at Sep 10, 96 01:53:02 am
Reply-To: C.Adams@Yellow-Jackets.com
Once upon a time, jna wrote
> I don't know if a patch has been made available for
> the security hole in ELM's filter (version 2.4PL25),
> but as of patch level 25, the bug still exists.
>
> Users can read the electronic mail of any user they choose with a simple
> exploit script (which has been published on the list before, so I won't
> rehash it here again)
>
> Basically, I've written a simple, blanket (bleh!) fix for filter that
> prevents filter from opening any symbolic links while it's running.
>
> If you know of a patch for filter that has fixed this already, let me know,
> otherwise, if you need a copy of this patch, send me mail. :)
Well, I tried the copy of the script that worked under Slackware 3.0,
and it does not appear to work under RedHat 3.0.3. I looked at the
source rpm, and it has the included patch.
--
Chris Adams - cadams@ro.com - System Admin - Renaissance Internet Services
"So, if anybody wants to have hardware sent to them: don't call me, but
instead write your own unix operating system. It has worked every time
for me." - Linus Torvalds, author of Linux (Unix-like) OS
--- elm-2.4.24c/filter/actions.c.marc Tue Aug 3 15:28:40 1993
+++ elm-2.4.24c/filter/actions.c Thu Jan 25 11:44:15 1996
@@ -96,11 +96,17 @@
* else, that we'll try to do nice things with it on the fly...
*/
+ uid_t euid;
+ gid_t egid;
+
FILE *pipefd, *tempfd, *mailfd;
int in_header = TRUE, line_count = 0, mailunit, pid, statusp;
char tempfile[SLEN], mailbox[SLEN],
buffer[VERY_LONG_STRING], *cp;
+ euid = geteuid();
+ egid = getegid();
+
if (verbose && ! log_actions_only && outfd != NULL)
fprintf(outfd, catgets(elm_msg_cat,FilterSet,FilterMailingMessage,
"filter (%s): Mailing message to %s\n"),
@@ -109,6 +115,9 @@
if (! show_only) {
sprintf(tempfile, "%s.%d", filter_temp, getpid());
+ setuid(user_uid);
+ setgid(user_gid);
+
if ((tempfd = fopen(tempfile, "r")) == NULL) {
if (outfd != NULL)
fprintf(outfd, catgets(elm_msg_cat,FilterSet,
@@ -118,6 +127,9 @@
if (outfd != NULL) fclose(outfd);
exit(1);
}
+
+ setuid(euid);
+ setgid(egid);
if (strcmp(address, username) != 0) { /* mailing to someone else */
@@ -351,6 +363,12 @@
char filename[SLEN], buffer[SLEN];
int fdunit;
+ uid_t euid;
+ gid_t egid;
+
+ setuid(user_uid);
+ setgid(user_gid);
+
sprintf(filename, "%s.%d", filter_temp, filter_pid);
if ((fdunit = open(foldername,
@@ -365,14 +383,21 @@
}
fd = fdopen(fdunit,"a");
+ setuid(user_uid);
+ setgid(user_gid);
+
if ((tempfd = fopen(filename, "r")) == NULL) {
if (outfd != NULL)
fprintf(outfd,catgets(elm_msg_cat,FilterSet,
FilterCantOpenTempFile3,
"filter (%s): can't open temp file %s for reading!\n"),
date_n_user(),filename);
+ setuid(euid);
+ setgid(egid);
return(1);
}
+ setuid(euid);
+ setgid(egid);
while (fgets(buffer, sizeof(buffer), tempfd) != NULL)
fputs(buffer, fd);