-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                NetBSD Security Advisory 2022-003
                =================================

Topic:          Race condition in mail.local(8)

Version:        NetBSD-current:         affected prior to 2022-05-17
               NetBSD 10:              not affected
               NetBSD 9.*:             affected
               NetBSD 8.*:             affected

Severity:       Local user may be able to own any file or append arbitrary
               data

Fixed:          NetBSD-current:         May 17, 2022
               NetBSD-9 branch:        May 17, 2022
               NetBSD-8 branch:        May 17, 2022

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A race condition exists in the mail.local(8) (/usr/libexec/mail.local)
program which is setuid root. That may be exploited in order to change
the ownership of or append arbitrary data to an arbitrary file.

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.

This was originally addressed in NetBSD-SA2016-006 and has been
assigned CVE-2016-6253. The fix proved inefficient and had to
be fixed again, which is the reason for this new advisory.


Technical Details
=================

The user mailbox (typically /var/mail/$USER) which is used to deliver a
message, is checked using lstat(2) to verify that the file is not a symlink.
Then if the file is not a symlink, it's opened. If the file does not
exist, it is created with another open(2) call. There is a tiny window
between the two open calls in which the attacker could symlink it
to a arbitrary file, and the mail.local program then would chown
the file the symlink points to.


Solutions and Workarounds
=========================

Potential workaround is to remove /usr/libexec/mail.local, if you use
postfix(1) as the only way of delivering mails. mail.local(8) program was used
by sendmail(8) which is no longer shipped with the NetBSD (currently
postfix(1) is used as a default MTA). mail.local(8) dependency should be
checked manually in case of other MTAs).

To apply a fixed version from a releng build, fetch a fitting
base.{tgz,tar.xz} from nycdn.NetBSD.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz libexec/mail.local

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. %DATE%* and later will fit
ARCH  = your system's architecture


The following instructions describe how to upgrade your mail.local(8)
binaries by updating your source tree and rebuilding and
installing a new version of mail.local(8).



* NetBSD-current:

       Systems running NetBSD-current dated from before 2022-05-18
       should be upgraded to NetBSD-current dated 2022-05-18 or later.

       The following files/directories need to be updated from the
       netbsd-current CVS branch (aka HEAD):
               src/libexec/mail.local

       To update from CVS, re-build, and re-install mail.local(8):
               # cd src
               # cvs update -d -P libexec/mail.local
               # cd libexec/mail.local
               # make USETOOLS=no cleandir dependall
               # make USETOOLS=no install

* NetBSD 8.* or 9.*:

       Systems running NetBSD 8.* or 9.*  sources dated from before
       2022-05-18 should be upgraded from NetBSD 8.* or 9.* sources dated
       2022-05-18 or later.

       The following files/directories need to be updated from the
       netbsd-8 or netbsd-9 branches:
               src/libexec/mail.local

       To update from CVS, re-build, and re-install mail.local(8):

               # cd src
               # cvs update -r <branch_name> -d -P libexec/mail.local
               # cd libexec/mail.local
               # make USETOOLS=no cleandir dependall
               # make USETOOLS=no install


Thanks To
=========

Jan Schaumann for pointing out the ineffectiveness of the original 2016-07-19
fix.


Revision History
================

       2022-10-04      Initial release
       2022-10-08      Mention all branches affected


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

       https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-003.txt.asc

Information about NetBSD and NetBSD security can be found at

       https://www.NetBSD.org/
       https://www.NetBSD.org/Security/


Copyright 2022, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2022-003.txt,v 1.2 2022/10/08 13:28:21 christos Exp $

-----BEGIN PGP SIGNATURE-----

iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmNBe0scHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/8ArEACkpb+MITxIWyjW8ny2
8+5963s7RUy2C3hH0SEkMdxt072kieo0aZVJox77USKYCrw3Bp0g0tYtAEQ1bqqL
+y37lN3vRS5XsLs3X7x+/m3jdryVkLgLY/QQOoga676uTxYt2ql3kWcQYfMU0uLf
Sif+0jmes/2h4npAOUO9U1t21MtEnal+YnIP0q6P7gx+sWaljXX0lmAsPGG8Jiil
XXi88ZdvmyTLUOtXC2Jj/LOov/6p7OPnVjFKZh+c13rGC0BiwqAlmcoVh25G4afB
2WpCEn40cQnrYYfxhICzgOJs5XHsC06EQLfUdSO8PmkNk3wGOFUoRoDDz1cPFp2i
l1J4rcDBhpHJIrj0Twanza3UiA90jseQtG0Kuvl9v8RVN7r4iqeWybI9/kJuzyEK
oweCGHmYTb/4TWxKSI3y/ys7rCj0dzqbQXbcmAYRKpH4jH2oz+OBz+F3noqX+yiv
HvONB9lin8Xd2Wu8qoNXRjt6mPgOhUnX2w0V1lfdCexqjpP5pO/C9erXyYbS8CIy
DAfX3BUMTcyTEuJY/1/+TgYTvPPRfkFR3GgniIBuGycqKOB9uARHgi2K5/eneDUq
kNX61BpAzZHww9VmRSYY/jdNBHt5H42qGKZZpKCDJyOZsUcgtcTxPDwGT18o9XMQ
idQLJA1V3/1ZNZ9r+USUTdTAvQ==
=hwbs
-----END PGP SIGNATURE-----

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.