#3158: CVE id CAN-2005-2351: less random temp file creation allows DOS ------------------------------+--------------------------------------------- Reporter: [email protected] | Owner: mutt-dev Type: defect | Status: new Priority: minor | Milestone: Component: mutt | Version: 1.5.19 Keywords: | ------------------------------+--------------------------------------------- forwarding from http://bugs.debian.org/311296
I am only making this important becuase after discussing it on #debian-devel, the consensus was the this was annoying but not RC. I am CC'ing Nico and Elimar since this also applies to the unnofficial mutt-ng pacakges. mutt creates temporary files in a very predictable and unsecure way. There is no threat of overwriting an existing file or creating a file somewhere where the user lacks appropriate permissions, but there is a trivial way to DoS the users in mutt. Steps to replicate: Log into a shared machine and run 'ps aux|grep mutt'. Choose a user running mutt. Note the pid of the mutt process you want to DOS. Note the username and run 'id <user>' to get the uid. Then run 'for i in `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and watch the user not be able to 1) compose mail, 2) change mailboxes, 3) reply to mail, 4) or view help until mutt is restarted. For added fun, wrap in another for loop that iterates from 0 to 32767 and hit all the PIDs and prevent the user from using mutt unil /tmp is cleaned or the machine is rebooted. -- Ticket URL: <http://dev.mutt.org/trac/ticket/3158> Mutt <http://www.mutt.org/> The Mutt mail user agent
