Package: mimedefang
Version: 2.83-1
Severity: important
Tags: security patch

mimedefang.postinst contains the following code in its "configure"
target:

            chown defang:defang /var/spool/MIMEDefang
            mkdir -p /var/spool/MIMEDefang/.spamassassin
            chmod 700 /var/spool/MIMEDefang/.spamassassin
            chown defang /var/spool/MIMEDefang/.spamassassin

if the defang user account is compromised, it can exploit this code to
gain root privileges by racing between the mkdir command and the final
chown command to make /var/spool/MIMEDefang/.spamassassin a link
(either hard or soft) to a sensitive root-controlled file (like
/etc/shadow, /etc/passwd, or even
/var/lib/dpkg/info/mimedefang.postinst itself).

Instead, please consider replacing the final three lines with
something like:

    runuser -u defang mkdir -p -m 0700 /var/spool/MIMEDefang/.spamassassin

Regards,

        --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mimedefang depends on:
ii  adduser                            3.117
ii  debconf [debconf-2.0]              1.5.65
ii  libc6                              2.26-6
ii  libio-stringy-perl                 2.111-2
ii  libmailtools-perl                  2.18-1
ii  libmilter1.0.1                     8.15.2-10
ii  libmime-tools-perl                 5.509-1
ii  libperl5.24 [libmime-base64-perl]  5.24.1-7
ii  libperl5.26 [libmime-base64-perl]  5.26.1-4+b1
ii  libunix-syslog-perl                1.1-2+b8
ii  perl                               5.26.1-4+b1
ii  psmisc                             23.1-1

mimedefang recommends no packages.

Versions of packages mimedefang suggests:
pn  clamav                                    <none>
pn  graphdefang                               <none>
ii  libarchive-zip-perl                       1.60-1
ii  libhtml-parser-perl                       3.72-3+b2
ii  postfix                                   3.2.5-1
pn  sanitizer                                 <none>
ii  spamassassin [libmail-spamassassin-perl]  3.4.1-8
ii  tk [wish]                                 8.6.0+9
pn  wv                                        <none>

-- debconf information excluded

Reply via email to