[15752] in bugtraq
Re: SuSE Security Announcement: tnef
daemon@ATHENA.MIT.EDU (Rainer Link)
Wed Jul 12 14:55:42 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <396B5C43.ACBF0023@foo.fh-furtwangen.de>
Date: Tue, 11 Jul 2000 19:41:23 +0200
Reply-To: Rainer Link <link@FOO.FH-FURTWANGEN.DE>
From: Rainer Link <link@FOO.FH-FURTWANGEN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Thomas Biege wrote:
> ______________________________________________________________________________
>
> SuSE Security Announcement
>
> Package: tnef < 0-124
> Date: Mon Jul 10 19:19:16 CEST 2000
>
> Affected SuSE versions: 6.3-6.4
> Vulnerability Type: remote compromise
> SuSE default package: no
> Other affected systems: all unix systems using this package
> ______________________________________________________________________________
[cut]
> 2. Impact
>
> By specifing a path name like /etc/passwd and sending a compressed
> mail to root an adversary could gain remote root access to a system
> by overwriting the local password database.
> The same could happen if a mail virus scanner, like AMaVIS, process'
> a malicious mail.
FYI:
AMaViS-Perl: not affected, as a Perl module is used
TNEF support was added to AMaViS 0.2.0-pre6-clm-rl-8-20000604 (previous
versions are therefore *not* affected), but AMaViS does not run as root
when used with qmail, exim and postfix. AMaViS is run as root, when used
with sendmail and AMaViS is called via Mlocal. AMaViS may not run as
root, when used with sendmail and the new relay scanning setup for
AMaViS (--enable-relay).
Anyway, a fix for this possible security hole was provided in AMaViS
0.2.0-pre6-clm-rl-8-20000704. It's available at
http://sourceforge.net/projects/amavis, http://cvsweb.amavis.org/ or
http://www.computer-networking.de/~link/security/amavis-patch.php3#latest_sources
(if you prefer a gzipped tarball).
We recommend to use Mark Simpson's TNEF
(http://world.std.com/~damned/software.html) which does not suffer from
this security problem, as it supportes the -d flag to extract files to a
specific directory.
I would like to thank Robert Valentan of SOLID-SOFT
EDV-VertriebsgmbH/Austria for reporting this problem to us and helping
us to fix it.
best regards,
Rainer Link
(AMaViS Developer)
--
Rainer Link | Member of Virus Help Munich (www.vhm.haitec.de)
link@suse.de | Member of AMaViS Development Team (dev.amavis.org)
rainer.w3.to | Linux/Unix Anti Virus project (lavp.sourceforge.net)
