Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201009-02 ] Maildrop: privilege escalation
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1539

PostPosted: Mon Sep 06, 2010 9:26 pm    Post subject: [ GLSA 201009-02 ] Maildrop: privilege escalation Reply with quote

Gentoo Linux Security Advisory

Title: Maildrop: privilege escalation (GLSA 201009-02)
Severity: high
Exploitable: local
Date: September 06, 2010
Bug(s): #308043
ID: 201009-02

Synopsis


Insecure permission handling in maildrop might allow local attackers to
elevate their privileges.


Background


maildrop is the mail filter/mail delivery agent that is used by the
Courier Mail Server.


Affected Packages

Package: mail-filter/maildrop
Vulnerable: < 2.4.2
Unaffected: >= 2.4.2
Architectures: All supported architectures


Description


Christoph Anton Mitterer reported that maildrop does not properly drop
its privileges when run as root.


Impact


A local attacker could create a specially crafted .mailfilter file,
possibly leading to the execution of arbitrary commands with the "root"
group privileges. NOTE: Successful exploitation requires that maildrop
is run as root with the -d option.


Workaround


There is no known workaround at this time.


Resolution


All maildrop users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-filter/maildrop-2.4.2"


References

CVE-2010-0301
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum