Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 Jan 2012 07:32:26 +0100
From: Sebastian Pipping <>
CC: Dirk Meyer <>
Subject: Re: mpack 1.6 allows eavesdropping on mails sent by
 other users

On 12/31/2011 08:39 PM, Sebastian Pipping wrote:
> A patch
> =======
> A patch could be to change create files with 0600 permissions rather
> than 0644 as done by [4].  However, that approach affects creation of
> non-temporary files too.  In some cases, users may not want that
> behaviour -- you tell me.

There now is a patch in addition to [4] that people seeking to fix the
described issue may be interested in.

Dirk Meyer of FreeBSD brought my attention to a broken case with munpack
that was shipped broken with the original 1.6 upstream tarball but may
have been fixed by the removal of O_EXCL applied by earlier attempts to
fix the insecure tempfile handling (as with FreeBSD).

So with O_EXCL back in (or still in place), patch [5] can be used to
repair munpack.



> [4]


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ