-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1998.01: Vulnerability in metamail Original report date: 24-Oct-1997 RPM build date: 07-Jan-1998 Advisory issue date: 09-Jan-1998 Topic: Metamail allows a fake mime enclosure to overwrite a users file. I. Problem Description Metamail is used by a number of mail readers to provide access to mime enclosures. A weakness in metamail (version 2.7-5 and earlier) can allow a faked mime enclosure to write or overwrite a users file. II. Impact An attacker can destroy, replace, or create a file in the directory of a specific user via a mime enclosure. The attacker must have the users email address and the exact path to files owned by the user. The user must 'view' the mime enclosure via a mail reader that uses metamail or the attack will not work. The only known exploit uses a mime enclosure with content named audio-file. (Do not play a mime audio enclosure of this type without updating.) This vulnerability exists when metamail has been installed in these Caldera releases: CND 1.0 COL 1.0 COL 1.1 Standard COL 1.1 Base COL 1.1 Lite The root user is not vulnerable unless the system has been configured specifically to allow root to execute metamail. Done by setting an environment variable or by using a '-r' command line flag. Pine is an example of a mail reader with this flaw. We suggest that system administrators forward mail sent to root having mime attachments to a less privileged user account before 'reading' the mime attachments. (Even if you have updated.) III. Solution If metamail capabilities are not needed on your system you can remove metamail. This might be preferred in some installations as metamail is script based and may have other unknown vulnerabilities. rpm -e metamail If access to mime attachments is needed you should update to the new metamail which has been made more secure by use of the mktemp package. Obtain these packages (check the md5sums for verification): bb19c854958db5811918b2f4b4ad821c metamail-2.7-7.i386.rpm b96327b7671d2a36c5aa9116be60aab4 mktemp-1.4-1.i386.rpm from ftp://ftp.caldera.com/pub/OpenLinux/updates/1.1/current/RPMS/ Install the packages: rpm -U metamail-2.7-7.i386.rpm rpm -i mktemp-1.4-1.i386.rpm IV. References / Credits This security advisory is based on the posting to the Bugtraq email list: From: Allan Cox alan@LXORGUK.UKUU.ORG.UK To: BUGTRAQ@NETSPACE.ORG Date: 24 Oct 1997 22:42:11 +0100 Subject: Vulnerability in metamail Message-ID: m0xOrUi-0005FvC@lightning.swansea.linux.org.uk http://www.geek-girl.com/bugtraq/ This update closes Caldera internal problem report #1011. V. PGP Signature This message was signed with the PGP key for security@caldera.com. This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1998.01,v 1.2 1998/01/09 06:28:03 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNLXFc+n+9R4958LpAQGd5AQAjss2efcbiONEaAoYLuwL7feYf2b0WVW5 JhtQabgD/OYjlmLluXUDb2Mjx5QZYd2kpGdSt7WK63AF0Zi+V+M/FNF9sCLFwp5u 26xZzUN+NJP7oPyVfpYhBfRaYb7TwczrAtfo3g3b7AwyvyaOyQyLjNIB2oUPo6gZ OxSN15QoJ9I= =+BOm -----END PGP SIGNATURE-----