Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: mpack 1.6 allows eavesdropping on mails sent by other users
From: Sebastian Pipping <sebastian () pipping org>
Date: Thu, 19 Jan 2012 07:32:26 +0100

On 12/31/2011 08:39 PM, Sebastian Pipping wrote:
A patch
=======
A patch could be to change create files with 0600 permissions rather
than 0644 as done by [4].  However, that approach affects creation of
non-temporary files too.  In some cases, users may not want that
behaviour -- you tell me.

There now is a patch in addition to [4] that people seeking to fix the
described issue may be interested in.

Dirk Meyer of FreeBSD brought my attention to a broken case with munpack
that was shipped broken with the original 1.6 upstream tarball but may
have been fixed by the removal of O_EXCL applied by earlier attempts to
fix the insecure tempfile handling (as with FreeBSD).

So with O_EXCL back in (or still in place), patch [5] can be used to
repair munpack.

Best,



Sebastian


[4]
http://git.goodpoint.de/?p=mpack.git;a=commitdiff;h=0c87201f64491575350b18d04c62ec142e119d1f

[5]
http://git.goodpoint.de/?p=mpack.git;a=commitdiff;h=a4ececa89969adfa53c30878b21178e1427cb6c5


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]