Debian DSA-1629-2 : postfix - programming error

medium Nessus Plugin ID 33934

Synopsis

The remote Debian host is missing a security-related update.

Description

Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root.

Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable :

- The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents.
- The mail spool directory (/var/spool/mail) is user-writeable.

- The user can create hardlinks pointing to root-owned symlinks located in other directories.

For a detailed treating of the issue, please refer to the upstream author's announcement.

Solution

Upgrade the postfix package.

For the stable distribution (etch), this problem has been fixed in version 2.3.8-2+etch1.

See Also

http://article.gmane.org/gmane.mail.postfix.announce/110

https://www.debian.org/security/2008/dsa-1629

Plugin Details

Severity: Medium

ID: 33934

File Name: debian_DSA-1629.nasl

Version: 1.17

Type: local

Agent: unix

Published: 8/19/2008

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.9

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:postfix, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/19/2008

Vulnerability Publication Date: 8/18/2008

Reference Information

CVE: CVE-2008-2936

BID: 30691

CWE: 264

DSA: 1629