243455 – (CVE-2007-2873) CVE-2007-2873 spamassassin symlink attack

Bug 243455 (CVE-2007-2873) - CVE-2007-2873 spamassassin symlink attack

Summary: CVE-2007-2873 spamassassin symlink attack

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-2873
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	243915 (view as bug list)
Depends On:	243456 243457 243458 243460 243461
Blocks:
TreeView+	depends on / blocked

Reported:	2007-06-08 19:44 UTC by Mark J. Cox
Modified:	2019-09-29 12:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-06-14 12:39:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0492	0	normal	SHIPPED_LIVE	Moderate: spamassassin security update	2008-01-09 15:18:09 UTC

Description Mark J. Cox 2007-06-08 19:44:34 UTC

A local user symlink-attack DoS vulnerability in SpamAssassin has been found,
affecting versions 3.1.x, 3.2.0, and SVN trunk.  It has been assigned
CVE-2007-2873. Details:

- It only affects systems where spamd is run as root, is used with vpopmail or
  virtual users via the "-v"/"--vpopmail" OR "--virtual-config-dir" switch, AND
  with the "-x"/"--no-user-config AND WITHOUT the "-u"/"--username" switch AND
  with the "-l"/"--allow-tell" switch.

  This is not default on any distro package, and is not a common configuration.

- It is a local exploit that requires the attacker to have a local account
  whose mail is being processed by spamd.

- The effect of the exploit is to allow overwriting of arbitrary files that are
  accessible by the spamd process (running as root), with data that is not
  under the control of the attacker.  Hence it is a DoS vulnerability that does
  not allow remote execution nor escalation of local privileges.


Workaround: If you are running spamd using a vulnerable combination of
switches,
add the "-u" / "--username" switch to specify a non-root user that spamd child
processes will run as.

Note that in a mixed real/virtual user environment you will now have to run two
separate instances of spamd on different ports, with the instance that
specifies "-v"/"--vpopmail" or "--virtual-config-dir" also specifying
"-u"/"--username".

Fix: The vulnerability is fixed in SpamAssassin version 3.2.1 by, among other
fixes, no longer allowing the use of "-v"/"--vpopmail" or
"--virtual-config-dir" without the "-u"/"--username" switch.  Thus, the
configuration change described in the above workaround is still necessary when
upgrading to 3.2.1.

Further info: mail <security at SpamAssassin.apache.org>
Announced: [TODO: not yet public]
Corrected: [TODO: not yet checked into SVN]
Affects: all versions before the correction date, after and including 3.1.0
Credit: discovery of this vulnerability credited to Martin F. Krafft 
  <bugzilla.spamassassin.org at pobox.madduck.net>.



Embargoed, public on 20070611

Comment 1 Mark J. Cox 2007-06-11 21:09:20 UTC

now public at http://spamassassin.apache.org/advisories/cve-2007-2873.txt
removing embargo

Comment 2 Lubomir Kundrak 2007-06-12 18:32:27 UTC

*** Bug 243915 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.