[Secure-testing-team] Bug#878138: muttprint: still vulnerable to symlink attack (race condition)

Vincent Lefevre vincent at vinc17.net
Tue Oct 10 11:17:54 UTC 2017 

Package: muttprint
Version: 0.73-8
Severity: grave
Tags: security upstream
Justification: user security hole

The muttprint Perl script contains:

        my $logf = "/tmp/muttprint.log";
        
        if (-e $logf)
        { ## 2008-12-24 -- Lukas Ruf
                # close CVE-2008-5368 -- muttprint vulnerable to symlink attack
                # ensure "/tmp/muttprint.log" adheres to the following constraints
                #       - owner is current user
                #       - only real files are allowed
                # if any of these fail, create a temporary file by use of tempfile()
[...]

So, it first tests whether /tmp/muttprint.log exists, and potentially
use an alternate pathname if it does. But if a /tmp/muttprint.log
symlink is created between the test (which returns false) and the
time this file is created, there's a security issue.

It would be sufficient to use a secure temporary file unconditionally
(and this is probably better, as more predictable).

BTW, using a hardcoded /tmp for temporary files is a bad idea anyway.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages muttprint depends on:
ii  libtext-iconv-perl         1.7-5+b6
ii  perl                       5.26.0-8
ii  texlive-fonts-recommended  2017.20171004-1
ii  texlive-latex-extra        2017.20171004-1
ii  texlive-latex-recommended  2017.20171004-1

Versions of packages muttprint recommends:
ii  emacs24-lucid [mail-reader]  24.5+1-11+local2
ii  emacs25 [mail-reader]        25.2+1-6
ii  evolution [mail-reader]      3.26.1-1
ii  libtimedate-perl             2.3000-2
ii  mailutils [mail-reader]      1:3.2-1
ii  mutt [mail-reader]           1.8.3+neomutt20170609-2+b1

Versions of packages muttprint suggests:
pn  compface                         <none>
ii  dialog                           1.3-20160828-2
ii  emacs24-lucid [news-reader]      24.5+1-11+local2
ii  emacs25 [news-reader]            25.2+1-6
ii  imagemagick                      8:6.9.7.4+dfsg-16
ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-16
ii  lynx [news-reader]               2.8.9dev16-1
ii  muttprint-manual                 0.73-8
pn  ospics                           <none>
ii  psutils                          1.17.dfsg-4
ii  texlive-fonts-extra              2017.20171004-1
ii  tin [news-reader]                1:2.4.1-1

-- no debconf information

More information about the Secure-testing-team mailing list