From: markus schnalke <meillo@marmaro.de>
  To  : John Lightsey <lightsey@debian.org>
  Date: Tue, 16 Aug 2011 09:51:55 +0200

Re: Possible security bug in masqmail

[2011-08-14 20:22] John Lightsey <lightsey@debian.org>
> Hi everyone,
> 
> This weekend I was doing an audit of setuid binaries in the archive
> looking for setuid() calls that don't check their return codes.
> 
> I found a problem in masqmail that may be exploitable, but I don't know
> enough about this particular piece of software to be certain.

Hello,

thanks for your work and thanks for reporting this bug.

I am the maintainer of the Debian package as well as the upstream
developer of masqmail.


> In src/log.c there are two logging functions that use this logic:
> 
> uid_t saved_uid;
> saved_uid = seteuid(conf.mail_uid);
> 
> ...write to a log file...
> 
> seteuid(saved_uid);
> 
> 
> The first seteuid() call here isn't returning the previous EUID, it's
> returning 0 on success and -1 on failure. The net result should be that
> any time masqmail writes to the log, it's resetting the EUID to root.
> This would undo the effect of other code in masqmail that drops root
> privileges.

I believe this is correct and thus a bug.

btw: There's also similar code logic in src/masqmail.c, and several
calls to set(e)[ug]id that don't check for failure.

> The most recent upstream version of masqmail (0.3.2) contains identical
> code to the version I audited (Debian stable's version 0.2.27).

Yes, these code parts haven't changed.


> Unless someone from the security team instructs me otherwise, I will
> report this in the public Debian bug tracker on 28 Aug 2011.

My mail message goes to the masqmail development mailing list too;
this makes the bug report public. Feel free to post it to the Debian
bug tracker.


In order to resolve the issue. Please correct me if I get it wrong:

- Return values of set(e)[ug]id calls need to be checked and handled.
- To obtain the previous [ug]id, I can put a get(e)[ug]id call just
  before the set(e)[ug]id calls.

I will fix this and prepare an updated package asap. Usually Hauke
<jhr@d.o> uploads for me.


meillo