[Secure-testing-commits] r1797 - data/DTSA/advs

Neil McGovern neilm at costa.debian.org
Sat Sep 3 14:46:03 UTC 2005


Author: neilm
Date: 2005-09-03 14:46:03 +0000 (Sat, 03 Sep 2005)
New Revision: 1797

Added:
   data/DTSA/advs/11-maildrop.adv
Log:
Last .adv


Added: data/DTSA/advs/11-maildrop.adv
===================================================================
--- data/DTSA/advs/11-maildrop.adv	2005-09-03 14:41:30 UTC (rev 1796)
+++ data/DTSA/advs/11-maildrop.adv	2005-09-03 14:46:03 UTC (rev 1797)
@@ -0,0 +1,17 @@
+dtsa: DTSA-11-1
+source: maildrop
+date: August 29th, 2005
+author: Andres Salomon
+vuln-type: local privilege escalation
+problem-scope: local
+debian-specific: yes
+cve: CAN-2005-2655
+testing-fix: 1.5.3-1.1etch1
+sid-fix: 1.5.3-2
+
+The lockmail binary shipped with maildrop allows for an attacker to
+obtain an effective gid as group "mail".  Debian ships the binary with its
+setgid bit set, but the program does not drop privileges when run.  It takes
+an argument that is executed, and since it does not drop privileges, an
+attacker can execute an arbitrary command with an effective gid of the "mail"
+group.




More information about the Secure-testing-commits mailing list