OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthias Andree (matthias.andree_at_gmx.de)
Date: Thu Nov 28 2002 - 20:36:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    bogofilter-SA-2002:01.bogopass

    Topic: vulnerability in bogopass

    Announcement: bogofilter-SA-2002:01
    Writer: Matthias Andree
    Version: 1.00
    Announced: 2002-11-29
    Category: contrib
    Type: temporary file created insecurely
    Impact: anonymous local file destruction or change
    Credits: -
    Danger: medium (the vulnerable version was replaced after 6
                            hours, the vulnerable program is not installed
                            by default)

    Affects: bogofilter 0.9.0.4 (beta version)

    Not affected: bogofilter 0.9.0.3 and before
                    bogofilter 0.9.0.5 and newer

    Default install: unaffected.

    Introduced: 2002-11-27 23:04:28 UTC (CVS)
                    2002-11-27 23:11 bogofilter 0.9.0.4 released

    Corrected: 2002-11-28 01:19:04 UTC (CVS) - disabled original version
                    2002-11-28 03:32:47 UTC (CVS) - committed corrected version
                    2002-11-28 04:26 bogofilter 0.9.0.5 released

    0. Release history

    2002-11-28 1.00 initial announcement

    1. Background

    Bogofilter is a software package to determine if a mail on its standard
    input is spam or not.

    2. Problem description

    A vulnerability was found in the contrib/bogopass Perl program that was
    added to bogofilter as of the 0.9.0.4 beta release (date: 2002-11-27
    23:04:28 UTC in CVS) with bogofilter, but is not installed by default.

    The bogopass program creates temporary files with the name
    /tmp/bogopass.$$, where $$ is the process ID, with the open FH, ">file"
    syntax of Perl, which uses O_TRUNC mode, not O_EXCL.

    3. Impact

    This vulnerability allows for anonymous file destruction or change, and
    might be abused to further escalate the privileges of the local
    attacker.

    If bogopass is run by the root user, this may eventually lead to a
    complete system compromise.

    4. Workaround

    Do not install or use the "bogopass" program that shipped with the
    vulnerable versions (see above) of bogofilter.

    5. Solution

    Upgrade your bogofilter to version 0.9.0.5 beta, and reinstall the
    bogopass program. Make sure you delete all copies of the old version of
    bogopass.

    bogofilter 0.9.0.5 is available from sourceforge:

    http://sourceforge.net/project/showfiles.php?group_id=62265&release_id=118794

    6. Solution details

    revision 1.3
    date: 2002/11/28 03:32:47; author: m-a; state: Exp; lines: +67 -26

    7. Other hints

    Software that treats user input should not run as root if it can be
    avoided. When installing bogofilter for system-wide use, make sure that
    it runs as an unprivileged user to limit the impact of possible
    vulnerabilities.

    A. References

    bogofilter home page: http://bogofilter.sourceforge.net/