<<< Date Index >>>     <<< Thread Index >>>

Bug#311296: mutt: Temporary file creation is unsafe



Is there any reason for not using tmpfile(3) or a similar function?

----- Forwarded message from "Roberto C. Sanchez" <roberto@xxxxxxxxxxxxxxxxxx> 
-----

Subject: Bug#311296: mutt: Temporary file creation is unsafe
Reply-To: "Roberto C. Sanchez" <roberto@xxxxxxxxxxxxxxxxxx>,
        311296@xxxxxxxxxxxxxxx
From: "Roberto C. Sanchez" <roberto@xxxxxxxxxxxxxxxxxx>
To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>

Package: mutt
Version: 1.5.9-2
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am only making this important becuase after discussing it on
#debian-devel, the consensus was the this was annoying but not RC.  I am
CC'ing Nico and Elimar since this also applies to the unnofficial
mutt-ng pacakges.  mutt creates temporary files in a very predictable
and unsecure way.  There is no threat of overwriting an existing file or
creating a file somewhere where the user lacks appropriate permissions,
but there is a trivial way to DoS the users in mutt.

Steps to replicate:

Log into a shared machine and run 'ps aux|grep mutt'.  Choose a user
running mutt.  Note the pid of the mutt process you want to DOS.  Note
the username and run 'id <user>' to get the uid.  Then run 'for i in
`seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
watch the user not be able to 1) compose mail, 2) change mailboxes, 3)
reply to mail, 4) or view help until mutt is restarted.  For added fun,
wrap in another for loop that iterates from 0 to 32767 and hit all the
PIDs and prevent the user from using mutt unil /tmp is cleaned or the
machine is rebooted.

- -Roberto

- --
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr

- -- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-miami-15.3
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1)

Versions of packages mutt depends on:
ii  exim4                       4.50-6       metapackage to ease exim MTA (v4) 
ii  exim4-daemon-light [mail-tr 4.50-6       lightweight exim MTA (v4) daemon
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libdb4.3                    4.3.27-2     Berkeley v4.3 Database Libraries [
ii  libgnutls11                 1.0.16-9     GNU TLS library - runtime library
ii  libidn11                    0.5.13-1.0   GNU libidn library, implementation
ii  libncursesw5                5.4-4        Shared libraries for terminal hand
ii  libsasl2                    2.1.19-1.5   Authentication abstraction library

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCm2JATfhoonTOp2oRApT5AKCQ9U6Wh9YlgZxz9BTDMkflunb2EwCg4g9I
/gLq4ITlC+XqBYjYffH636M=
=gvk5
-----END PGP SIGNATURE-----

----- End forwarded message -----

-- 
ciao,
Marco