[LWN Logo]
[LWN.net]
Date:         Mon, 9 Apr 2001 06:31:31 -0500
From: Progeny Security Team <security@PROGENY.COM>
Subject:      PROGENY-SA-2001-03: mailx buffer overflow
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 ---------------------------------------------------------------------------
 PROGENY LINUX SYSTEMS -- SECURITY ADVISORY               PROGENY-SA-2001-03
 ---------------------------------------------------------------------------

    Topic:          mailx buffer overflow

    Category:       mail
    Module:         mailx
    Announced:      2001-04-09
    Credits:        Debian Security Team <debian-security-private@lists.debian.org>
    Affects:        Progeny Debian (mailx prior to 8.1.1-10.1.5progeny1)
                    Debian GNU/Linux (mailx prior to 8.1.1-10.1.5)
    Vendor-Status:  New Version Released (mailx_8.1.1-10.1.5progeny1)
    Corrected:      2001-04-09
    Progeny Only:   NO

    $Id: PROGENY-SA-2001-03,v 1.5 2001/04/09 08:39:58 csg Exp $

 ---------------------------------------------------------------------------


SYNOPSIS

A buffer overflow in mailx allows a local user to gain access to the
mail group.


PROBLEM DESCRIPTION

Mailx is a simple program to read and send e-mail.  Mailx is installed
setgid mail on Progeny and Debian systems.  A buffer overflow in mailx
allows for a local user to gain access to the mail group, which would
allow that user to read and write to other mail spools.

Debian resolved this problem by no longer shipping mailx setgid mail.
Progeny has decided to use Debian's fix.  This means that on mail
systems that do not have world writable mail spools one will not be
able to properly lock one's mailbox.


IMPACT

Local users can compromise the privileges of the mail group.


SOLUTION

Upgrade to a fixed version of mailx.  You may use Progeny's mailx package,
version mailx_8.1.1-10.1.5progeny1, for convenience.


WORKAROUND

 1. If you do not have the suidmanager package (which supplies the
    suidregister command) installed you can retrieve it by running the
    following command.  If you already have this package skip to the
    second step of the workaround.

	apt-get update && apt-get install suidmanager

 2. Now you can manually apply this fix by running the following as root:

	suidregister /usr/bin/mail root root 0755


UPDATING VIA APT-GET

 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
    security update repository:

        deb http://archive.progeny.com/progeny updates/newton/

 2. Update your cache of available packages for apt(8).

    Example:

        # apt-get update

 3. Using apt(8), install the new kernel package.  apt(8) will download
    the update, verify it's integrity with md5, and then install the
    package on your system with dpkg(8).

    Example:

        # apt-get install mailx


UPDATING VIA DPKG

 1. Using your preferred FTP/HTTP client to retrieve the following
    updated files from Progeny's update archive at:

    http://archive.progeny.com/pub/progeny/updates/newton/

    Filename                             MD5 Checksum
    ------------------------------------ --------------------------------
    mailx_8.1.1-10.1.5progeny1_i386.deb  fe12bbc355688e9eeff853cf13ed7f58

    Example:

        # wget http://archive.progeny.com/pub/progeny/updates/newton/mailx_8.1.1-10.1.5progeny1_i386.deb

 2. Use the md5sum command on the retrieved file to verify that it matches
    the md5sum provided in this advisory:

    Example:

        # md5sum mailx_8.1.1-10.1.5progeny1_i386.deb

 3. Then install the replacement package(s) using the dpkg command.

    Example:

        # dpkg --install mailx_8.1.1-10.1.5progeny1_i386.deb


MORE INFORMATION

There is no more information available at this time.

 ---------------------------------------------------------------------------

pub  1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDrKpVkRBACS4/hjUliUt9UGTHMUGSZpQlKfBk9OFHmyLHTdjyIBCWRMmOBn
RRhag0FgPicVIDndoQvYw3+ESC/RtbuPCBf6DZ7S0+NHhm1SHEbZyHFLkRXJm+IS
29oFmKrfXnXHckCrJFDZbOznRF6dVe7hV8CYi3FtoTjlRbuiHPQCMuy4ewCghAfv
eYxfB25AoTdBT7WiG8jd4w8D/iFweuqzTwcWtXEgDbDd21W9hNPLEELgguimCCdP
l3GHqw/MUJpIvdYfYhCzTaf4VpvkM5xlJGAcelCUL9qAufwyU8U8JI2YzlbqSlO8
qRwaiwq9qisTKEBb3IQadFqug+ihVdUeP8cuXPvbUEbFt7ILWyUD/kntgFdf1Apo
zZWlA/0SM45hV6yomcM7z08tyh4hZTrWX/RUJqe+U1niNAmzPg4P+r8SfXdIkjb2
fZT5h5cYLIiK+kUEkqyPmZwUlgMCCn4IYVd2pcKXKXWE8ympuf3E5wGYeiVpLBM/
th7qdEF87sViV8McfiRuXEonYrs1nSQZX+f4OxvTQqaP46u10rQsUHJvZ2VueSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBwcm9nZW55LmNvbT6IVwQTEQIAFwUCOsql
WQULBwoDBAMVAwIDFgIBAheAAAoJEEnBfSP5LU0f/sUAnjDpQs5SnFotNJ7GeIWx
Ftf7AvBBAJ0cygWS0XRXxJJq2PKbCbdln+i4d7kEDQQ6yqcjEBAA465SSuC/yvN7
WeZAN9XperqZtxLCVe8hLfrLZ+9/Xn2ysuEEe90rYe1X0HbsB/mInHF3VmT+XvHB
VdDQ7o0VMw7aeDgprt3jDQgT8gIesSOhZvulDujmLhykE+FT/V4lKpqO8prv7Ujs
AfuC7g/X2dcV1+imNOeivLaCM0+HrwUhdvifWFDwE97wBkrda/vhu9zs3NwMeBVN
UYfkRLPm+DGUSQVrteNiYJchhqfJB0mjrd+3FgnpCVgdU4c42epZ2ez/WTgTchoT
duMCd1sM9gzvQIih56KzxlGL82PVS2m0PNxSQ8iZpheMMGWregjpjpMRcrRbSXy+
WmPBacOiE/MyxXand+lGzig/9Srm6msUT5jE/lDcfySznJWH8B/fqD7KM5Z0ZM+b
3xV0PzGyMld+m3BfGolqsd5bpo8HaWCWsZVYfgdXjoDPYptsoPdLesN6WIAHA1kU
n2kckccz4xOoI/8MqKhkzZe0q5a9sv6RLBWDeVLxJnDuXZgcwCc4OvpcR4HnOE7c
U5VsyjYwTkzGWWuQxb8uxng3akHTK2PqeZAnC0tvtuwI7QFhOq/dzz+zHzVH2+Qh
55Aq6DjA9yEs3P7g31wb3duGdWtuIXn+N85GiJdZ1EmJESQCuOYOSHsV4bGxKcpg
PIpoSr5QBAUtUOTwN+xC8nNjZtC5OzsAAwYP/1OD/eiEraGpy7Z9scgXBjjb1kly
tgq06zGlSMWPEQoN3F87YeMiOsXSeDxJG+cnhvlys1Qoytp9/drsDLANi+Q61A/b
aka2IJLudiDu4iUDFb1rgRUERBciA31karPf2IwNjdU8lbulHfxQcjtjj7rbSWOG
gxzlPcLp2F5ee3h0qs+XW4UpD6K9f/u9gGT4nMr3owG06uNomlBAsGCVpk9XlRxG
x96161vrbmTPUx/o6NhqHNuf5Zh8ZmxQ3PYydywiE9njOtS04TTad24qbdPlVQh2
kjkTdsMCFRGaAB8EYImMT3F0ofon1Q/XWZrRlhkZpzuAKLhdSOW5G+tygNy2IqsH
wCYa/rDitYZeNN4EUb5At4HnSBCy86GFQgj+sDFO6yp+h7NLIMeTm0csaSbKEt6o
cbn0iMaRbLdHmAm0UHATPho+M2brf3mTztvAPONta2FC9TP1L1ojTDd4mtO9IcdM
hjOVqNbuyLXkWgPcSmwhhjB61p3/1M1Y/zfXxLOsi/XJlstYzzKzHa68F1e9dTEz
kgeYo1hG5TqMKv1sXfPJHw4N/QVcLoUlpUJZ/kI2OQD5mAhCCZ9PbT2fT4gLhy7U
sn0blh/R/0HFSFDwHgmx8mNfw7w0qFbba9/FEE8D5qhyyCx5KTk0OkvRL9OpzO7E
jzjdcfb6B2XpgSC8iEYEGBECAAYFAjrKpyMACgkQScF9I/ktTR90vgCggiX108DO
S3rhSkmfFuHey8w4RlIAn3nD+uCe+sjCFqVwb+LY2jO3ybjB
=6dRm
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjrReZ0ACgkQScF9I/ktTR/hHgCeOeG6MZLR8gjTcTjzy7qLg6mW
VZ0An3wuHPbBlpOIGZqe1okntCNKRxvZ
=BGZ5
-----END PGP SIGNATURE-----