[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : exmh security vulnerability on linux.com

Title: exmh security vulnerability on linux.com
Released by: Brent Welch
Date: 15th January 2001
Printable version: Click here
I have put information about the symlink attack and fixes on


Note that any user can protect themselves without applying a patch.

Exmh already has a feature that allows users to choose their own

tmp directory via the TMPDIR or EXMHTMPDIR environment variable.

Apparently the original bug reported failed to realize this simple

remedy.  However, a patch that causes exmh to pick a better directory

by default is in place and available from the above web page.  The

change is also checked into CVS.

If someone outthere is a member of BUGTRAQ, I would appreciate a posting

to their list about this fix.

>>>Albert White - SUN Ireland said:

 > On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html


 > This bug is mentioned:


 > "A problem in the bug reporting system for exmh, an X-based interface for th


 > MH mail, can cause overwriting of arbitrary system files that are writable b


 > the user running exmhexmh encounters a problem in its code, it opens a dialo


 > that asks the user what happened and then allows them to send a bug report t


 > the author. If the user chooses to e-mail the bug report, exmh creates the

 > file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink


 > overwriting the file that it is linked to.


 > As of this time, the author has not released a patch or updated version. It


 > recommended that the bug report feature not be used on multiuser systems unt


 > this problem has been fixed."


 > I think the problem is in error.tcl around line 121:

 >    119  proc ExmhMailError { w errInfo } {

 >    120      global exmh

 >    121      if [catch {open [Env_Tmp]/exmhErrorMsg w} out] {

 >    122          Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple

 >    123          return

 >    124      }


 > I guess all that is needed to fix this is a check to see that the file isn't


 > symlink before opening it. I don't know how to do that in tcl though :)


 > Cheers,

 > ~Al



 > --==_Exmh_-536764512P

 > Content-Type: application/pgp-signature



 > Version: GnuPG v1.0.2 (SunOS)

 > Comment: Exmh version 2.2 06/23/2000



 > H7r69/0P2qxWE66bcPUCxg==

 > =2+zl

 > -----END PGP SIGNATURE-----


 > --==_Exmh_-536764512P--

-- Brent Welch 


(C) 1999-2000 All rights reserved.