From afa06e5b2e3e951e639c9981b759fa568b8c06fb Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 14 Aug 2008 14:06:44 +0000 Subject: [PATCH] - fixed postfix privilege problem with symlinks in the mail spool directory (CVE-2008-2936) (rhbz#459101) --- postfix-CVE-2008-2936.patch | 59 +++++++++++++++++++++++++++++++++++++ postfix.spec | 8 ++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 postfix-CVE-2008-2936.patch diff --git a/postfix-CVE-2008-2936.patch b/postfix-CVE-2008-2936.patch new file mode 100644 index 0000000..55f8400 --- /dev/null +++ b/postfix-CVE-2008-2936.patch @@ -0,0 +1,59 @@ + +*** postfix/src/util/safe_open.c.orig Sun Jun 4 19:04:49 2006 +- --- postfix/src/util/safe_open.c Mon Aug 4 16:47:18 2008 +*************** +*** 83,88 **** +- --- 83,89 ---- + #include + #include + #include ++ #include + #include + + /* safe_open_exist - open existing file */ +*************** +*** 138,150 **** + * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks + * owned by a non-root user. This would open a security hole when + * delivering mail to a world-writable mailbox directory. + */ + else if (lstat(path, &lstat_st) < 0) { + vstring_sprintf(why, "file status changed unexpectedly: %m"); + errno = EPERM; + } else if (S_ISLNK(lstat_st.st_mode)) { +! if (lstat_st.st_uid == 0) +! return (fp); + vstring_sprintf(why, "file is a symbolic link"); + errno = EPERM; + } else if (fstat_st->st_dev != lstat_st.st_dev +- --- 139,167 ---- + * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks + * owned by a non-root user. This would open a security hole when + * delivering mail to a world-writable mailbox directory. ++ * ++ * Sebastian Krahmer of SuSE brought to my attention that some systems have ++ * changed their semantics of link(symlink, newpath), such that the ++ * result is a hardlink to the symlink. For this reason, we now also ++ * require that the symlink's parent directory is writable only by root. + */ + else if (lstat(path, &lstat_st) < 0) { + vstring_sprintf(why, "file status changed unexpectedly: %m"); + errno = EPERM; + } else if (S_ISLNK(lstat_st.st_mode)) { +! if (lstat_st.st_uid == 0) { +! VSTRING *parent_buf = vstring_alloc(100); +! const char *parent_path = sane_dirname(parent_buf, path); +! struct stat parent_st; +! int parent_ok; +! +! parent_ok = (stat(parent_path, &parent_st) == 0 /* not lstat */ +! && parent_st.st_uid == 0 +! && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0); +! vstring_free(parent_buf); +! if (parent_ok) +! return (fp); +! } + vstring_sprintf(why, "file is a symbolic link"); + errno = EPERM; + } else if (fstat_st->st_dev != lstat_st.st_dev + diff --git a/postfix.spec b/postfix.spec index 3fcff78..6fedbc2 100644 --- a/postfix.spec +++ b/postfix.spec @@ -40,7 +40,7 @@ Name: postfix Summary: Postfix Mail Transport Agent Version: 2.5.1 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 Group: System Environment/Daemons URL: http://www.postfix.org @@ -81,6 +81,7 @@ Patch7: postfix-2.1.5-aliases.patch Patch8: postfix-large-fs.patch Patch9: postfix-2.4.0-cyrus.patch Patch10: postfix-2.4.5-open_define.patch +Patch11: postfix-CVE-2008-2936.patch # Optional patches - set the appropriate environment variables to include # them when building the package/spec file @@ -139,6 +140,7 @@ TLS %patch8 -p1 -b .large-fs %patch9 -p1 -b .cyrus %patch10 -p1 -b .open_define +%patch11 -p1 -b .CVE-2008-2936 # resolve multilib conflict for makedefs.out: rename to makedefs.out-%{_arch} perl -pi -e "s/makedefs.out/makedefs.out-%{_arch}/g" conf/postfix-files Makefile.in */Makefile.in */*/Makefile.in HISTORY @@ -480,6 +482,10 @@ exit 0 %changelog +* Thu Aug 14 2008 Thomas Woerner 2:2.5.1-3 +- fixed postfix privilege problem with symlinks in the mail spool directory + (CVE-2008-2936) (rhbz#459101) + * Wed Mar 12 2008 Thomas Woerner 2:2.5.1-2 - fixed fix for enabling IPv6 support (rhbz#437024) - added new postfix data directory (rhbz#437042)