Your message dated Sun, 14 Jun 2020 13:34:12 +0200
with message-id <[email protected]>
and subject line Re: Bug#944265: mailutils: local privilege escalation in
maidag utility (fixed in 3.8)
has caused the Debian Bug report #944265,
regarding mailutils: local privilege escalation in maidag utility (fixed in
3.8) (CVE-2019-18862)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
944265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944265
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mailutils
Severity: serious
Tags: security fixed-upstream
There is a local privilege escalation in the maidag utility:
https://savannah.gnu.org/forum/forum.php?forum_id=9586
This version fixes important security flow. The maidag utility has
been withdrawn and three new programs have been included to provide
its functionality: local mail delivery agent mda, LMTP daemon lmtpd,
and user mail delivery tool putmail.
https://git.savannah.gnu.org/cgit/mailutils.git/plain/NEWS
* The maidag utility is withdrawn
The main purpose of this utility was to work as local mail delivery
agent (MDA), a program responsible for final delivery of email messages
to the recipient's mailbox. As such it required suid privileges.
In parallel with its main purpose, it also was able to work in two
other modes: the 'url' mode, designed to deliver mails to arbitrary
mailbox URLs, and 'lmtp' mode, in which it acted as local mail
transport daemon. Neither of these needed suid privileges.
The unfortunate design decision to combine the three modes in a single
versatile tool resulted in local privilege escalation threat in 'url'
mode.
To fix this, maidag has been replaced by three different utilities,
each one with a precisely defined purpose and carefully designed
privileges: mda, lmtpd, and putmail.
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Version: 1:3.8-1
Hi,
On Sat, Nov 23, 2019 at 10:13:46AM +0100, Salvatore Bonaccorso wrote:
> On Fri, Nov 22, 2019 at 02:22:00PM +0100, Jordi Mallach wrote:
> > Hi all,
> >
> > El dl. 11 de 11 de 2019 a les 21:32 +0100, en/na Salvatore Bonaccorso
> > va escriure:
> > > Control: retitle -1 mailutils: local privilege escalation in maidag
> > > utility (fixed in 3.8) (CVE-2019-18862)
As this is listed as 'fixed in 3.8', it should be fixed in the 3.8 upload.
However, the upload didn't close this bug or mention the CVE. Closing the bug
now.
Thanks for the upload!
Ivo
--- End Message ---