SA-1998.01.txt
81ba79b9703c8e26057c7f365bce41c4576b3bca3da4af0d3b07653605c11193
-----BEGIN PGP SIGNED MESSAGE-----
Subject: Caldera Security Advisory SA-1998.01: Vulnerability in metamail
Original report date: 24-Oct-1997
RPM build date: 07-Jan-1998
Advisory issue date: 09-Jan-1998
Topic: Metamail allows a fake mime enclosure to overwrite a users file.
I. Problem Description
Metamail is used by a number of mail readers to provide access
to mime enclosures. A weakness in metamail (version 2.7-5 and
earlier) can allow a faked mime enclosure to write or overwrite
a users file.
II. Impact
An attacker can destroy, replace, or create a file in the
directory of a specific user via a mime enclosure. The
attacker must have the users email address and the exact
path to files owned by the user. The user must 'view' the
mime enclosure via a mail reader that uses metamail or the
attack will not work.
The only known exploit uses a mime enclosure with content
named audio-file. (Do not play a mime audio enclosure of
this type without updating.)
This vulnerability exists when metamail has been installed
in these Caldera releases:
CND 1.0
COL 1.0
COL 1.1 Standard
COL 1.1 Base
COL 1.1 Lite
The root user is not vulnerable unless the system has been
configured specifically to allow root to execute metamail.
Done by setting an environment variable or by using a '-r'
command line flag. Pine is an example of a mail reader with
this flaw. We suggest that system administrators forward
mail sent to root having mime attachments to a less privileged
user account before 'reading' the mime attachments. (Even if
you have updated.)
III. Solution
If metamail capabilities are not needed on your system you can
remove metamail. This might be preferred in some installations
as metamail is script based and may have other unknown
vulnerabilities.
rpm -e metamail
If access to mime attachments is needed you should update to
the new metamail which has been made more secure by use of the
mktemp package. Obtain these packages (check the md5sums for
verification):
bb19c854958db5811918b2f4b4ad821c metamail-2.7-7.i386.rpm
b96327b7671d2a36c5aa9116be60aab4 mktemp-1.4-1.i386.rpm
from
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.1/current/RPMS/
Install the packages:
rpm -U metamail-2.7-7.i386.rpm
rpm -i mktemp-1.4-1.i386.rpm
IV. References / Credits
This security advisory is based on the posting to the Bugtraq
email list:
From: Allan Cox alan@LXORGUK.UKUU.ORG.UK
To: BUGTRAQ@NETSPACE.ORG
Date: 24 Oct 1997 22:42:11 +0100
Subject: Vulnerability in metamail
Message-ID: m0xOrUi-0005FvC@lightning.swansea.linux.org.uk
http://www.geek-girl.com/bugtraq/
This update closes Caldera internal problem report #1011.
V. PGP Signature
This message was signed with the PGP key for security@caldera.com.
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
$Id: SA-1998.01,v 1.2 1998/01/09 06:28:03 ron Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNLXFc+n+9R4958LpAQGd5AQAjss2efcbiONEaAoYLuwL7feYf2b0WVW5
JhtQabgD/OYjlmLluXUDb2Mjx5QZYd2kpGdSt7WK63AF0Zi+V+M/FNF9sCLFwp5u
26xZzUN+NJP7oPyVfpYhBfRaYb7TwczrAtfo3g3b7AwyvyaOyQyLjNIB2oUPo6gZ
OxSN15QoJ9I=
=+BOm
-----END PGP SIGNATURE-----