Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jan 2010 14:31:24 +0100
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: maildrop

Hi Josh

On Thu, 28 Jan 2010 01:53:41 pm Josh Bressers wrote:
> ----- "Steffen Joeris" <steffen.joeris@...lelinux.de> wrote:
> > Could I please get a CVE id for this privilege escalation bug[0] in
> > maildrop?
> >
> > Cheers
> > Steffen
> >
> > [0]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601
> 
> Can you sum this up in a few sentences? I'm having a horrible time
> following that bug.

From the DSA text:

Christoph Anton Mitterer discovered that maildrop, a mail delivery agent
with filtering abilities, is prone to a privilege escalation issue that
grants a user root group privileges.


The issue occurs when invoking maildrop -d, which keeps the root group 
privileges on the mailbox rather than changing them to the users gid.

Cheers
Steffen

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.