<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #3158: CVE id CAN-2005-2351: less random temp file creation allows DOS



#3158: CVE id CAN-2005-2351: less random temp file creation allows DOS
------------------------------+---------------------------------------------
 Reporter:  antonio@xxxxxxxx  |       Owner:  mutt-dev
     Type:  defect            |      Status:  new     
 Priority:  minor             |   Milestone:          
Component:  mutt              |     Version:  1.5.19  
 Keywords:                    |  
------------------------------+---------------------------------------------
 forwarding from http://bugs.debian.org/311296

 I am only making this important becuase after discussing it on
 #debian-devel, the consensus was the this was annoying but not RC.  I am
 CC'ing Nico and Elimar since this also applies to the unnofficial
 mutt-ng pacakges.  mutt creates temporary files in a very predictable
 and unsecure way.  There is no threat of overwriting an existing file or
 creating a file somewhere where the user lacks appropriate permissions,
 but there is a trivial way to DoS the users in mutt.

 Steps to replicate:

 Log into a shared machine and run 'ps aux|grep mutt'.  Choose a user
 running mutt.  Note the pid of the mutt process you want to DOS.

 Note
 the username and run 'id <user>' to get the uid.

 Then run 'for i in
 `seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
 watch the user not be able to
 1) compose mail,
 2) change mailboxes,
 3) reply to mail,
 4) or view help until mutt is restarted.

 For added fun,
 wrap in another for loop that iterates from 0 to 32767 and hit all the
 PIDs and prevent the user from using mutt unil /tmp is cleaned or the
 machine is rebooted.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3158>
Mutt <http://www.mutt.org/>
The Mutt mail user agent