- fixed postfix privilege problem with symlinks in the mail spool directory

(CVE-2008-2936) (rhbz#459101)
2008-08-14 14:06:44 +00:00 · 2008-08-14 14:06:44 +00:00 · afa06e5b2e
commit afa06e5b2e
parent 63c5c3f41c
2 changed files with 66 additions and 1 deletions
--- a/postfix-CVE-2008-2936.patch
+++ b/postfix-CVE-2008-2936.patch
@ -0,0 +1,59 @@
+
+*** postfix/src/util/safe_open.c.orig	Sun Jun  4 19:04:49 2006
+- --- postfix/src/util/safe_open.c	Mon Aug  4 16:47:18 2008
+***************
+*** 83,88 ****
+- --- 83,89 ----
+  #include <msg.h>
+  #include <vstream.h>
+  #include <vstring.h>
+ #include <stringops.h>
+  #include <safe_open.h>
+  
+  /* safe_open_exist - open existing file */
+***************
+*** 138,150 ****
+       * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks
+       * owned by a non-root user. This would open a security hole when
+       * delivering mail to a world-writable mailbox directory.
+       */
+      else if (lstat(path, &lstat_st) < 0) {
+  	vstring_sprintf(why, "file status changed unexpectedly: %m");
+  	errno = EPERM;
+      } else if (S_ISLNK(lstat_st.st_mode)) {
+! 	if (lstat_st.st_uid == 0)
+! 	    return (fp);
+  	vstring_sprintf(why, "file is a symbolic link");
+  	errno = EPERM;
+      } else if (fstat_st->st_dev != lstat_st.st_dev
+- --- 139,167 ----
+       * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks
+       * owned by a non-root user. This would open a security hole when
+       * delivering mail to a world-writable mailbox directory.
+      * 
+      * Sebastian Krahmer of SuSE brought to my attention that some systems have
+      * changed their semantics of link(symlink, newpath), such that the
+      * result is a hardlink to the symlink. For this reason, we now also
+      * require that the symlink's parent directory is writable only by root.
+       */
+      else if (lstat(path, &lstat_st) < 0) {
+  	vstring_sprintf(why, "file status changed unexpectedly: %m");
+  	errno = EPERM;
+      } else if (S_ISLNK(lstat_st.st_mode)) {
+! 	if (lstat_st.st_uid == 0) {
+! 	    VSTRING *parent_buf = vstring_alloc(100);
+! 	    const char *parent_path = sane_dirname(parent_buf, path);
+! 	    struct stat parent_st;
+! 	    int     parent_ok;
+! 
+! 	    parent_ok = (stat(parent_path, &parent_st) == 0	/* not lstat */
+! 			 && parent_st.st_uid == 0
+! 			 && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0);
+! 	    vstring_free(parent_buf);
+! 	    if (parent_ok)
+! 		return (fp);
+! 	}
+  	vstring_sprintf(why, "file is a symbolic link");
+  	errno = EPERM;
+      } else if (fstat_st->st_dev != lstat_st.st_dev
+
--- a/postfix.spec
+++ b/postfix.spec
@ -40,7 +40,7 @@
 Name: postfix
 Summary: Postfix Mail Transport Agent
 Version: 2.5.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 2
 Group: System Environment/Daemons
 URL: http://www.postfix.org
@ -81,6 +81,7 @@ Patch7: postfix-2.1.5-aliases.patch
 Patch8: postfix-large-fs.patch
 Patch9: postfix-2.4.0-cyrus.patch
 Patch10: postfix-2.4.5-open_define.patch
+Patch11: postfix-CVE-2008-2936.patch

 # Optional patches - set the appropriate environment variables to include
 #                    them when building the package/spec file
@ -139,6 +140,7 @@ TLS
 %patch8 -p1 -b .large-fs
 %patch9 -p1 -b .cyrus
 %patch10 -p1 -b .open_define
+%patch11 -p1 -b .CVE-2008-2936

 # resolve multilib conflict for makedefs.out: rename to makedefs.out-%{_arch}
 perl -pi -e "s/makedefs.out/makedefs.out-%{_arch}/g" conf/postfix-files Makefile.in */Makefile.in */*/Makefile.in HISTORY
@ -480,6 +482,10 @@ exit 0


 %changelog
+* Thu Aug 14 2008 Thomas Woerner <twoerner@redhat.com> 2:2.5.1-3
+- fixed postfix privilege problem with symlinks in the mail spool directory
+  (CVE-2008-2936) (rhbz#459101)
+
 * Wed Mar 12 2008 Thomas Woerner <twoerner@redhat.com> 2:2.5.1-2
 - fixed fix for enabling IPv6 support (rhbz#437024)
 - added new postfix data directory (rhbz#437042)