[contribteam] [Bug 9073] Fix possible race condition vulnerability in vacation message creation through user panel

Fri, 25 Sep 2015 00:39:07 -0700 

==================================================================
  Please DO NOT REPLY to this mail or send email to the developers
  about this bug. Please follow-up to Bugzilla using this link:
    http://bugs.contribs.org/show_bug.cgi?id=9073

  Have you checked the Frequently Asked Questions (FAQ)?
    http://wiki.contribs.org/SME_Server:Documentation:FAQ

  Please also take the time to read the following useful guide:
    http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================

            Bug ID: 9073
           Summary: Fix possible race condition vulnerability in vacation
                    message creation through user panel
    Classification: Contribs
           Product: SME Contribs
           Version: 9.0
          Hardware: ---
                OS: ---
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-vacation
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]

DESCRIPTION
===========

As explained by Charlie Brady in Bug 1192, comment 12

The security issue is that somebody with shell access to their own account
could create a malicious symlink in place of .vacation.msg, and that would
allow them to alter any file on the system, via the uservacations panel.

While the ".vacation.msg" file in a user's home directory gets deleted before
new content is written, in the current code there is still a small exposure,
because a new symlink could be created in the instant of time before the unlink
and the open of the new file.

POSSIBLE SOLUTION
=================

As suggested by Charlie Brady in Bug 1192, comment 14

The solution to this problem is for the script to change the running uid to the
uid who is logged in, before opening the file for writing. Doing that would
render malicious symlinks ineffective, since the script would no longer have
permission to write to any file on the system, eg.

    my $uid = getpwnam($user) or die "Could not get uid for $user\n";
    $> = $uid; # Switch effective uid of the process

CONTRIB VERSION
===============

up to smeserver-vacation-1.1-10

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at http://lists.contribs.org/mailman/public/contribteam/

Reply via email to