[Mutt] #3158: CVE id CAN-2005-2351: less random temp file creation allows DOS
#3158: CVE id CAN-2005-2351: less random temp file creation allows DOS
------------------------------+---------------------------------------------
Reporter: antonio@xxxxxxxx | Owner: mutt-dev
Type: defect | Status: new
Priority: minor | Milestone:
Component: mutt | Version: 1.5.19
Keywords: |
------------------------------+---------------------------------------------
forwarding from http://bugs.debian.org/311296
I am only making this important becuase after discussing it on
#debian-devel, the consensus was the this was annoying but not RC. I am
CC'ing Nico and Elimar since this also applies to the unnofficial
mutt-ng pacakges. mutt creates temporary files in a very predictable
and unsecure way. There is no threat of overwriting an existing file or
creating a file somewhere where the user lacks appropriate permissions,
but there is a trivial way to DoS the users in mutt.
Steps to replicate:
Log into a shared machine and run 'ps aux|grep mutt'. Choose a user
running mutt. Note the pid of the mutt process you want to DOS.
Note
the username and run 'id <user>' to get the uid.
Then run 'for i in
`seq 0 1000` ; do touch /tmp/mutt-<hostname>-<uid>-<pid>-$i ; done' and
watch the user not be able to
1) compose mail,
2) change mailboxes,
3) reply to mail,
4) or view help until mutt is restarted.
For added fun,
wrap in another for loop that iterates from 0 to 32767 and hit all the
PIDs and prevent the user from using mutt unil /tmp is cleaned or the
machine is rebooted.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3158>
Mutt <http://www.mutt.org/>
The Mutt mail user agent