[Secure-testing-team] Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c
John Lightsey
lightsey at debian.org
Tue Aug 16 13:27:22 UTC 2011
Package: masqmail
Version: 0.2.21-4
Severity: critical
Tags: security
Justification: root security hole
Reporting publicly since this has already been disclosed on the masqmail list.
In src/log.c there are two logging functions that use this logic:
uid_t saved_uid;
saved_uid = seteuid(conf.mail_uid);
....write to a log file...
seteuid(saved_uid);
The first seteuid() call here isn't returning the previous EUID, it's
returning 0 on success and -1 on failure. The net result should be that
any time masqmail writes to the log, it's resetting the EUID to root.
This would undo the effect of other code in masqmail that drops root
privileges.
The most recent upstream version of masqmail (0.3.2) contains identical
code to the version I audited (Debian stable's version 0.2.27).
Per information provided by the upstream author, src/masqmail.c contains
additional code with the same type of flaw.
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list