Jordi,
I'm the researcher that brought the privilege escalation issue to Sergey's
attention. I'll be releasing more details soon following the assignment of
a CVE, but the issue revolves around the --url option, which permits the
ability to write to arbitrary files. Combined with maidag being setuid
root by default, the issue can lead to arbitrary command execution as root.
If you can't upgrade to mailutils 3.8 there may be a few other options.
1) The issue itself is nullified if maidag is not set as setuid. If you
don't require the setuid functionality of maidag, you may want to run a
`chmod u-s /usr/sbin/maidag`. Some distros strip the suid bit during
installation of mailutils, so it could be that the 'flaw' is not a flaw at
all for you, which can be verified with a `ls -l /usr/sbin/maidag`.
2) If you do need the setuid capability of maidag, you may be able to get
away with changing the user ownership of maidag to a non-root user that's
less risky.
3) It may be possible to address the issue in code by turning off setuid
when utilizing the --url parameter. I think this can be handled in the
following (untested) way:
In maidag/maidag.c you will find a code block like:
case mode_url:
/* FIXME: Verify if the urls are deliverable? */
delivery_fun = deliver_to_url;
break;
My guess is that if you add a block like the following in that case
statement, you will effectively mitigate the issue.
int user_user_id = getuid();
#ifdef _POSIX_SAVED_IDS
seteuid(user_user_id);
#else
setreuid (geteuid(), getuid());
#endif
Mike
--
On Wed, Nov 6, 2019 at 7:07 PM Jordi Mallach <jo...@mallach.net> wrote:
> Hi Sergey,
>
> El dc. 06 de 11 de 2019 a les 13:52 +0200, en/na Sergey Poznyakoff va
> escriure:
> > Hello,
> >
> > This is to inform you that GNU mailutils version 3.8 is available for
> > download. This stable release fixes an important security flaw and
> > introduces several new features. Please see the end of this message
> > for details.
>
> Thanks for the release. Is there a fix for maidag for older releases?
>
> Jordi
>
>
