3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
87 lines
3.2 KiB
Text
87 lines
3.2 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-00:15 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: imap-uw allows local users to deny service to any mailbox
|
|
|
|
Category: ports
|
|
Module: imap-uw
|
|
Announced: 2000-04-24
|
|
Credits: Alex Mottram <alex@NET-CONNECT.NET> via BugTraq
|
|
Affects: Ports collection.
|
|
Corrected: See below.
|
|
Vendor status: Notified.
|
|
FreeBSD only: NO
|
|
|
|
I. Background
|
|
|
|
imap-uw is a popular IMAP4/POP2/POP3 mail server from the University
|
|
of Washington.
|
|
|
|
II. Problem Description
|
|
|
|
The imap-uw port supplies a "libc-client" library which provides
|
|
various functionality common to mail servers. The algorithm used for
|
|
locking of mailbox files contains a weakness which allows an
|
|
unprivileged local user to lock an arbitrary local mailbox.
|
|
|
|
In the case of POP2/POP3 servers, this means that the mailbox will not
|
|
be able to be accessed at all by the owner. In the case of IMAP4
|
|
servers, the folder can be opened for reading, but not writing
|
|
(i.e. can only be accessed read-only).
|
|
|
|
Note that this is a different vulnerability than that described in
|
|
FreeBSD Security Advisory 00:14, and affects all imap-uw servers which
|
|
provide shell-level access to users. However note that by virtue of
|
|
advisory 00:14, all users who can access their mail remotely via imap
|
|
can acquire such access even without explicit shell login access.
|
|
|
|
The imap-uw port is not installed by default, nor is it "part of
|
|
FreeBSD" as such: it is part of the FreeBSD ports collection, which
|
|
contains over 3200 third-party applications in a ready-to-install
|
|
format. The ports collection shipped with FreeBSD 4.0 contains this
|
|
problem since it was discovered after the release.
|
|
|
|
FreeBSD makes no claim about the security of these third-party
|
|
applications, although an effort is underway to provide a security
|
|
audit of the most security-critical ports.
|
|
|
|
III. Impact
|
|
|
|
A user who has, or who can obtain (see advisory 00:14) shell access to
|
|
the mail server can prevent an arbitrary mailbox from being opened via
|
|
pop2/pop3, or can force the mailbox to be only opened read-only via
|
|
imap.
|
|
|
|
If you have not chosen to install the imap-uw port/package, then your
|
|
system is not vulnerable to this problem.
|
|
|
|
IV. Workaround
|
|
|
|
1) Deinstall the imap-uw port/package, if you you have installed it.
|
|
|
|
2) Consider using another POP2/POP3 server if you do not require IMAP
|
|
functionality. See the notes regarding alternative IMAP servers in
|
|
FreeBSD Security Advisory 00:14.
|
|
|
|
V. Solution
|
|
|
|
No patch is currently available. It is encumbent on the imap-uw
|
|
developers to redesign the mailbox locking scheme to provide a secure
|
|
locking mechanism which is not vulnerable to local denial-of-service
|
|
attacks.
|
|
|
|
This advisory will be updated once the known vulnerabilities in
|
|
imap-uw have been addressed.
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBOQTN8FUuHi5z0oilAQH58gP+JtkvDh4EFR13jGKxb6PERkt9x6Cpy+DY
|
|
1P56XODBiK4tnbTjdke2JLLNUHpSYtN23h8zt1DtnlxnxunQa8Y6fhptbpgHUWAu
|
|
ZIJlLLnl0iQcjj3Lqwz2E2BaFsyZxlVSGQnD/EmI+tyZcY+oTYbomCgi1RW3kbn+
|
|
fmNJXmwTXCg=
|
|
=TwTN
|
|
-----END PGP SIGNATURE-----
|