[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mailutils-3.8 released [stable]

From: Mike Gualtieri
Subject: Re: mailutils-3.8 released [stable]
Date: Wed, 6 Nov 2019 19:54:35 -0500


I'm the researcher that brought the privilege escalation issue to Sergey's attention.  I'll be releasing more details soon following the assignment of a CVE, but the issue revolves around the --url option, which permits the ability to write to arbitrary files.  Combined with maidag being setuid root by default, the issue can lead to arbitrary command execution as root.

If you can't upgrade to mailutils 3.8 there may be a few other options.

1) The issue itself is nullified if maidag is not set as setuid.  If you don't require the setuid functionality of maidag, you may want to run a `chmod u-s /usr/sbin/maidag`.  Some distros strip the suid bit during installation of mailutils, so it could be that the 'flaw' is not a flaw at all for you, which can be verified with a `ls -l /usr/sbin/maidag`.

2) If you do need the setuid capability of maidag, you may be able to get away with changing the user ownership of maidag to a non-root user that's less risky.

3) It may be possible to address the issue in code by turning off setuid when utilizing the --url parameter.  I think this can be handled in the following (untested) way:

In maidag/maidag.c you will find a code block like:
    case mode_url:
      /* FIXME: Verify if the urls are deliverable? */
      delivery_fun = deliver_to_url;

My guess is that if you add a block like the following in that case statement, you will effectively mitigate the issue.

    int user_user_id = getuid();
    #ifdef _POSIX_SAVED_IDS
        setreuid (geteuid(), getuid());



On Wed, Nov 6, 2019 at 7:07 PM Jordi Mallach <address@hidden> wrote:
Hi Sergey,

El dc. 06 de 11 de 2019 a les 13:52 +0200, en/na Sergey Poznyakoff va
> Hello,
> This is to inform you that GNU mailutils version 3.8 is available for
> download.  This stable release fixes an important security flaw and
> introduces several new features.  Please see the end of this message
> for details.

Thanks for the release. Is there a fix for maidag for older releases?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]