Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Multiple vulnerabilities in Deliver
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 24 Mar 2010 10:07:46 -0400

 Deliver, multiple vulnerabilites
 March 24, 2010


Deliver (http://deliver.sourceforge.net/), a mail delivery program installed
root as /usr/bin/deliver, is vulnerable to several race conditions that can
exploited by a local attacker using symbolic links.  On systems using
over NFS, these attacks can result in gaining root privileges via taking
of critical system files.  On other systems, these attacks can result in
denial-of-service conditions and information disclosure.  In addition, users
deny service to other users by creating lockfiles for other users'


Users are advised to discontinue use of Deliver in the absence of a patch or
new release from the developer.


These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg () gmail com).


1/14/10 - Vulnerabilities discovered
1/27/10 - Developer notified
1/27/10 - Developer response, fix planned
3/20/10 - Fix deadlines repeatedly passed, disclosure date set at 3/24/10
3/24/10 - Disclosure


CVE identifier CVE-2010-0439 has been assigned to these issues.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Multiple vulnerabilities in Deliver Dan Rosenberg (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]