Advisories : exmh security vulnerability on linux.com

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : exmh security vulnerability on linux.com

Title:	exmh security vulnerability on linux.com
Released by:	Brent Welch
Date:	15th January 2001
Printable version:	Click here

I have put information about the symlink attack and fixes on

http://www.beedub.com/exmh/symlink.html



Note that any user can protect themselves without applying a patch.

Exmh already has a feature that allows users to choose their own

tmp directory via the TMPDIR or EXMHTMPDIR environment variable.

Apparently the original bug reported failed to realize this simple

remedy.  However, a patch that causes exmh to pick a better directory

by default is in place and available from the above web page.  The

change is also checked into CVS.



If someone outthere is a member of BUGTRAQ, I would appreciate a posting

to their list about this fix.



>>>Albert White - SUN Ireland said:



 > On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html

 >

 > This bug is mentioned:

 >

 > "A problem in the bug reporting system for exmh, an X-based interface for th

     e

 > MH mail, can cause overwriting of arbitrary system files that are writable b

     y

 > the user running exmhexmh encounters a problem in its code, it opens a dialo

     g

 > that asks the user what happened and then allows them to send a bug report t

     o

 > the author. If the user chooses to e-mail the bug report, exmh creates the

 > file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink

     ,

 > overwriting the file that it is linked to.

 >

 > As of this time, the author has not released a patch or updated version. It

     is

 > recommended that the bug report feature not be used on multiuser systems unt

     il

 > this problem has been fixed."

 >

 > I think the problem is in error.tcl around line 121:

 >    119  proc ExmhMailError { w errInfo } {

 >    120      global exmh

 >    121      if [catch {open [Env_Tmp]/exmhErrorMsg w} out] {

 >    122          Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple

 >    123          return

 >    124      }

 >

 > I guess all that is needed to fix this is a check to see that the file isn't

      a

 > symlink before opening it. I don't know how to do that in tcl though :)

 >

 > Cheers,

 > ~Al

 >

 >

 > --==_Exmh_-536764512P

 > Content-Type: application/pgp-signature

 >

 > -----BEGIN PGP SIGNATURE-----

 > Version: GnuPG v1.0.2 (SunOS)

 > Comment: Exmh version 2.2 06/23/2000

 >

 > iD4DBQE6XxH3pfmE8MiMM1IRAh4AAJjoZuUKRrXwlU3NALPNXmOCY15VAJwNr82Q

 > H7r69/0P2qxWE66bcPUCxg==

 > =2+zl

 > -----END PGP SIGNATURE-----

 >

 > --==_Exmh_-536764512P--



-- Brent Welch 

http://www.interwoven.com