Bug 23169 - exmh follows symlinks when writing to /tmp/exmhErrorMsg
Summary: exmh follows symlinks when writing to /tmp/exmhErrorMsg
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: exmh   
(Show other bugs)
Version: 7.0
Hardware: All Linux
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact: Need Real Name
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-01-02 19:18 UTC by Daniel Roesen
Modified: 2007-03-27 03:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-19 02:41:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Daniel Roesen 2001-01-02 19:18:40 UTC
From: "Stanley G. Bubrouski" <stan@CCS.NEU.EDU>
Subject:      Advisory: exmh symlink vulnerability
Date:         Sun, 31 Dec 2000 15:32:40 -0500
Message-ID:  <Pine.GSO.4.21.0012311529370.24743-100000@denali.ccs.neu.edu>

Author:   Stan Bubrouski (stan@ccs.neu.edu)
Date:   December 31, 2000
Package:  exmh
Versions affected:  2.2 and probably previous versions.
Severity:  A malicious local user could use a symlink attack to overwrite
           any file writable by the user executing exmh.

Problem: When exmh detects a problem at startup (or possibly other times,
I don't have time to investigate) it encounters errors in its code or
configuration an error dialog comes up asking the user what happened and
giving them the option to fill in an explanation and click a button to
send the bug report via e-mail to the maintainer.  If the user does
attempt to e-mail the maintainer a file named /tmp/exmhErrorMsg is created
and if the file exists and is a symlink it will follow the symlink
allowing local files to be overwritten depending on the user running exmh.

Solution: There are no known solutions at this time.

Copyright 2000 Stan Bubrouski

Stan Bubrouski                                       stan@ccs.neu.edu
316 Huntington Ave. Apt #676, Boston, MA 02115       (617) 377-7222

Comment 1 Stan Bubrouski 2001-01-19 02:41:35 UTC
I tried this on Red Hat 6.x machines also and it produced similar bad behaviour,
following symlinks that is.

-Stan Bubrouski

Note You need to log in before you can comment on or make changes to this bug.