Oh, I see. They added an amendment to the end.

Last-minute note: on February 9, 2020, opensmtpd-6.6.2p1-1.fc31 was
released and correctly made smtpctl set-group-ID smtpq, instead of
set-group-ID root.

Rather strange that they haven't managed to update packages for two
weeks before checking anything.


On Wed, Feb 26, 2020 at 3:56 AM Denis Fateyev <de...@fateyev.com> wrote:

> Beside the real vulnerability, what is interesting that Qualys used an
> outdated Fedora package to prepare the report:
>
> On Linux, this vulnerability is generally not exploitable because
> /proc/sys/fs/protected_hardlinks prevents attackers from creating
> hardlinks to files they do not own. On Fedora 31, however, smtpctl is
> set-group-ID root, not set-group-ID smtpq:
>
> ------------------------------------------------------------------------------
> -r-xr-sr-x. 1 root root 303368 Jul 26  2019 /usr/sbin/smtpctl
> ------------------------------------------------------------------------------
>
>
> The latest package (6.6.2, pushed to stable on Feb 09) contains a
> different file:
>
> # ls -la /usr/sbin/smtpctl
> -r-xr-sr-x 1 root smtpq 333288 Jan 31 18:43 /usr/sbin/smtpctl
>
> That version that they tested was way back from 2019.
>
> I think I need to inform them separately, but just FYI.
>
>

-- 
wbr, Denis.

Reply via email to