Bug 459091

Summary: CVE-2008-2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership problem
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, robert.scheck, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-14 13:23:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2008-08-14 12:59:11 UTC 
Description of problem:
Thomas Biege from SuSE/Novell describes with "SUSE Security Announcement:
postfix (SUSE-SA:2008:040)", that they've fixed a security issue (CVE-2008-
2936, CVE-2008-2937: Postfix local privilege escalation and mbox ownership 
problem) which seems to apply for all RHEL and Fedora products as well, but
I can't see a Red Hat or Fedora specific update for this; from the e-mail
from SuSE/Novell to all openSUSE, SLES and SLED customers:

--- snipp ---
1) Problem Description and Brief Discussion

   Postfix is a well known MTA.
   During a source code audit the SuSE Security-Team discovered a local
   privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership
   problem (CVE-2008-2937) in postfix.
   The first bug allowed local users to execute arbitrary commands as root
   while the second one allowed local users to read other users mail.

2) Solution or Work-Around

   Please install the update package.
--- snapp ---

Version-Release number of selected component (if applicable):
Postfix <= 2.5.1 as it seems.

Actual results:
No update with fix for Red Hat and/or Fedora.

Expected results:
Update with security fix for Red Hat and Fedora.
Comment 1 Robert Scheck 2008-08-14 13:05:02 UTC 
Looks like bug #456314 and bug #456347 are the corresponding bug reports on
Red Hat Bugzilla for the named CVEs. Unluckily, I only get the message "You
are not authorized" for these bug reports - maybe open it, as it is a public
issue now anyway?!
Comment 2 Robert Scheck 2008-08-14 13:06:16 UTC 
Date: Thu, 14 Aug 2008 14:39:29 +0200 -- I forgot, this is the date/time
where the mail was sent from SuSE.
Comment 3 Josh Bressers 2008-08-14 13:23:17 UTC 

*** This bug has been marked as a duplicate of bug 456314 ***