Home page logo

bugtraq logo Bugtraq mailing list archives

exmh security vulnerability
From: "Noel A. Davis" <noeld () TFN NET>
Date: Fri, 12 Jan 2001 18:06:54 -0500

Brent Welch <brent.welch () interwoven com> asked that this message about the
exmh symlink problem be forwarded to Bugtraq.



RootPrompt.org -- Nothing but Unix
News and information for Unix Sysadmins
rss/rdf file:  http://www.rootprompt.org/rss/
Text Headlines:  http://www.rootprompt.org/rss/text.php3

---------- Forwarded message ----------
Date: Fri, 12 Jan 2001 11:24:38 -0800
From: Brent Welch <brent.welch () interwoven com>
To: Albert White - SUN Ireland <albert.white () ireland sun com>
Cc: exmh-users () redhat com, sans () sans org, noeld () rootprompt org
Subject: Re: exmh security vulnerability on linux.com

I have put information about the symlink attack and fixes on

Note that any user can protect themselves without applying a patch.
Exmh already has a feature that allows users to choose their own
tmp directory via the TMPDIR or EXMHTMPDIR environment variable.
Apparently the original bug reported failed to realize this simple
remedy.  However, a patch that causes exmh to pick a better directory
by default is in place and available from the above web page.  The
change is also checked into CVS.

If someone outthere is a member of BUGTRAQ, I would appreciate a posting
to their list about this fix.

Albert White - SUN Ireland said:

On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html

This bug is mentioned:

"A problem in the bug reporting system for exmh, an X-based interface for th
MH mail, can cause overwriting of arbitrary system files that are writable b
the user running exmhexmh encounters a problem in its code, it opens a dialo
that asks the user what happened and then allows them to send a bug report t
the author. If the user chooses to e-mail the bug report, exmh creates the
file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink
overwriting the file that it is linked to.

As of this time, the author has not released a patch or updated version. It
recommended that the bug report feature not be used on multiuser systems unt
this problem has been fixed."

I think the problem is in error.tcl around line 121:
   119  proc ExmhMailError { w errInfo } {
   120      global exmh
   121      if [catch {open [Env_Tmp]/exmhErrorMsg w} out] {
   122          Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple
   123          return
   124      }

I guess all that is needed to fix this is a check to see that the file isn't
symlink before opening it. I don't know how to do that in tcl though :)


Content-Type: application/pgp-signature

Version: GnuPG v1.0.2 (SunOS)
Comment: Exmh version 2.2 06/23/2000



--      Brent Welch     <brent.welch () interwoven com>

  By Date           By Thread  

Current thread:
  • exmh security vulnerability Noel A. Davis (Jan 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]