Date: Thu, 19 Jan 2012 07:32:26 +0100 From: Sebastian Pipping <sebastian@...ping.org> To: oss-security@...ts.openwall.com CC: Dirk Meyer <dirk.meyer@...oex.sub.org> Subject: Re: mpack 1.6 allows eavesdropping on mails sent by other users On 12/31/2011 08:39 PM, Sebastian Pipping wrote: > A patch > ======= > A patch could be to change create files with 0600 permissions rather > than 0644 as done by . However, that approach affects creation of > non-temporary files too. In some cases, users may not want that > behaviour -- you tell me. There now is a patch in addition to  that people seeking to fix the described issue may be interested in. Dirk Meyer of FreeBSD brought my attention to a broken case with munpack that was shipped broken with the original 1.6 upstream tarball but may have been fixed by the removal of O_EXCL applied by earlier attempts to fix the insecure tempfile handling (as with FreeBSD). So with O_EXCL back in (or still in place), patch  can be used to repair munpack. Best, Sebastian >  > http://git.goodpoint.de/?p=mpack.git;a=commitdiff;h=0c87201f64491575350b18d04c62ec142e119d1f  http://git.goodpoint.de/?p=mpack.git;a=commitdiff;h=a4ececa89969adfa53c30878b21178e1427cb6c5
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ