[Pkg-shadow-devel] Bug#307259: marked as forwarded (Insecure mailbox generation due to incomplete open() call)

Debian Bug Tracking System owner@bugs.debian.org
Mon, 02 May 2005 11:33:09 -0700 

Your message dated Mon, 2 May 2005 20:18:14 +0200
with message-id <20050502181814.GI6796@mykerinos.kheops.frmug.org>
has caused the Debian Bug report #307259,
regarding Insecure mailbox generation due to incomplete open() call
to be marked as having been forwarded to the upstream software
author(s) Tomasz Kłoczko <kloczek@zie.pg.gda.pl>.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

---------------------------------------
Received: (at 307259-forwarded) by bugs.debian.org; 2 May 2005 18:18:15 +0000
>From bubulle@kheops.frmug.org Mon May 02 11:18:15 2005
Return-path: <bubulle@kheops.frmug.org>
Received: from p548498d3.dip0.t-ipconnect.de (mykerinos.kheops.frmug.org) [84.132.152.211] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DSfUk-0005l0-00; Mon, 02 May 2005 11:18:15 -0700
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 7426)
	id B7A9223284; Mon,  2 May 2005 20:18:14 +0200 (CEST)
Date: Mon, 2 May 2005 20:18:14 +0200
From: Christian Perrier <bubulle@debian.org>
To: Tomasz =?utf-8?Q?K=C5=82oczko?= <kloczek@zie.pg.gda.pl>
Cc: Moritz Muehlenhoff <muehlenhoff@univention.de>,
	307259-forwarded@bugs.debian.org, team@security.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#307259: Insecure mailbox generation due to incomplete open() call
Message-ID: <20050502181814.GI6796@mykerinos.kheops.frmug.org>
References: <20050502070553.6CF59B6ECA@anton>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
In-Reply-To: <20050502070553.6CF59B6ECA@anton>
User-Agent: Mutt/1.5.9i
Content-Transfer-Encoding: quoted-printable
Delivered-To: 307259-forwarded@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Quoting Moritz Muehlenhoff (muehlenhoff@univention.de):
> Package: passwd
> Severity: normal
> Tags: security
>=20
> The 4.0.8 changelog points to a change with minor security implications=
:
> | useradd: fixes a potential security problem when mailbox is created i=
n
> | useradd.
> | Patch and comment by Koblinger Egmont <egmont@uhulinux.hu>:
> | Only two arguments are passed to the open() call though it expects th=
ree
> | because O_CREAT is present. Hence the permission of the file first be=
comes
> | some random garbage found on the stack, and an attacker can perhaps o=
pen
> | this file and hold it open for reading or writing before the proper
> | fchmod() is executed. (Actually, we could also pass the final "mode" =
to
> | the open() call and then save the consequent fchmod().)


Thanks, Moritz, for reporting this or for your careful read
of shadow's changelog.

Tomasz, do you still have this patch available=A0? We might need to
apply it to Debian shadow to fix this potential security problem.