Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0246 -- [NetBSD] mail(1) creates record file with insecure umask 31 March 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mail(1) Publisher: NetBSD Operating System: NetBSD Impact: Access Privileged Data Access: Existing Account Original Bulletin: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-007.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2006-007 ================================= Topic: mail(1) creates record file with insecure umask Version: NetBSD-current: source prior to March 03, 2006 NetBSD 3.0 affected NetBSD 2.1: affected NetBSD 2.0.*: affected NetBSD 2.0: affected NetBSD 1.6.*: affected NetBSD 1.6: affected Severity: Information disclosure Fixed: NetBSD-current: March 03, 2006 NetBSD-3-0 branch: March 17, 2006 (3.0.1 will include the fix) NetBSD-3 branch: March 17, 2006 NetBSD-2-1 branch: March 17, 2006 (2.1.1 will include the fix) NetBSD-2-0 branch: March 17, 2006 (2.0.4 will include the fix) NetBSD-2 branch: March 17, 2006 Abstract ======== If the "set record" setting is present in a users .mailrc, and they have the default umask set, the record file will be created with insecure permissions. Technical Details ================= When mail(1) creates the users record file it currently does so using the default umask of 0644. This may leave the record file of a users email readable by other users of the system. Solutions and Workarounds ========================= The default NetBSD running mail configuration is not vulnerable to this bug, since the "set record" setting is not present by default in .mailrc. The following instructions describe how to upgrade your mail binaries by updating your source tree and rebuilding and installing a new version of mail. * NetBSD-current: Systems running NetBSD-current dated from before 2006-03-02 should be upgraded to NetBSD-current dated 2006-03-03 or later. The following file needs to be updated from the netbsd-current CVS branch (aka HEAD): usr.bin/mail/send.c To update from CVS, re-build, and re-install mail: # cd src # cvs update -d -P usr.bin/mail/send.c # cd usr.bin/mail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2006-03-16 should be upgraded from NetBSD 3.* sources dated 2006-03-17 or later. The following file needs to be updated from the netbsd-3 or netbsd-3-0 CVS branch: usr.bin/mail/send.c To update from CVS, re-build, and re-install mail: # cd src # cvs update -d -P -r <branch_name> usr.bin/mail/send.c # cd usr.bin/mail # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.*: Systems running NetBSD 2.* sources dated from before 2006-03-16 should be upgraded from NetBSD 2.* sources dated 2006-03-17 or later. The following file needs to be updated from the netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch: usr.bin/mail/send.c To update from CVS, re-build, and re-install mail: # cd src # cvs update -d -P -r <branch_name> usr.bin/mail/send.c # cd usr.bin/mail # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Johan Veenhuizen for reporting the bug to the NetBSD Security Officer. Christos Zoulas for implementing the fixes in -HEAD. Revision History ================ 2006-03-29 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2006-007.txt,v 1.6 2006/03/29 11:14:28 adrianp Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (NetBSD) iQCVAwUBRCsC+z5Ru2/4N2IFAQJFxgP9FIb8bDTLy64wI5qg2YIYNtcpWJlPTpRx ehnxpBt+f+ZeoIpPjevs/Bm0pT1kakei97yNJFHp24MTX+FVfL8R8g/RiLjhehwi L34d9+WZDhED2EdazWW52oNQcs12f+QKj0K/4xPfbXZZ0ccU9xgDadSnN99UQkw6 Lbwmn1P1+JE= =sygp - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRCzB+ih9+71yA2DNAQIDFgQAkcBWwFdPjOVvhWykbjXN236m30Ets5r1 C4k9RLkXVbtEYmc/7woiYP8R+lX+/5zNJCo8iegEB5iVe7etzvpe0la3Bx5aH3Xa ZSZNsMA15BpcAOtNtd0rGi2ocatq5H212UMuDsUEoIY+ACx99clwO292UbteYaaB AdJF55uzo70= =H4LX -----END PGP SIGNATURE-----