Sebastian Krahmer reported a flaw in the way postfix handle symlink files owned by root. If a user has write permission to the mail spool directory (this means that the user is in the mail group on our systems, which is unlikely), and there is no root mailbox, they can create a hard link to a root owned symlink. Postfix will append mail messages to an arbitrary file, which could result in the local user gaining root privileges. Acknowledgements: Red Hat would like to thank Sebastian Krahmer for responsibly disclosing this issue.
This flaw affects Red Hat Enterprise Linux 3, 4, and 5.
Created attachment 312664 [details] Proposed upstream patch
Created attachment 313762 [details] Updated upstream patch
Thomas, Can you roll up some new packages for this? I'll write up the errata tomorrow. Thanks.
This is going to be RHSA-2008-0839. It now needs packages.
This is now public: http://archives.neohapsis.com/archives/postfix/2008-08/0392.html
*** Bug 459091 has been marked as a duplicate of this bug. ***
Public PoC posted to multiple security lists: http://marc.info/?l=bugtraq&m=122029567530728&w=4
postfix-2.5.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
postfix-2.5.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0839.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8595 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8593