Index: [thread] [date] [author] [stats]

  From: John Lightsey <lightsey@debian.org>
  To  : markus schnalke <meillo@marmaro.de>
  Date: Tue, 16 Aug 2011 08:37:01 -0500

Re: Possible security bug in masqmail

 Content preview:  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/16/2011
    02:51 AM, markus schnalke wrote: > [2011-08-14 20:22] John Lightsey <lightsey@debian.org>
    >> Unless someone from the security team instructs me otherwise, I will >>
    report this in the public Debian bug tracker on 28 Aug 2011. > > My mail
   message goes to the masqmail development mailing list too; > this makes the
    bug report public. Feel free to post it to the Debian > bug tracker. [...]
    
 
 Content analysis details:   (-2.9 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/16/2011 02:51 AM, markus schnalke wrote:
> [2011-08-14 20:22] John Lightsey <lightsey@debian.org>
>> Unless someone from the security team instructs me otherwise, I will
>> report this in the public Debian bug tracker on 28 Aug 2011.
> 
> My mail message goes to the masqmail development mailing list too;
> this makes the bug report public. Feel free to post it to the Debian
> bug tracker.

The Debian bug number is 638002.

> In order to resolve the issue. Please correct me if I get it wrong:
> 
> - Return values of set(e)[ug]id calls need to be checked and handled.
> - To obtain the previous [ug]id, I can put a get(e)[ug]id call just
>   before the set(e)[ug]id calls.

Yes this is all that is necessary. It should be a straightforward fix.

Thanks for responding rapidly.


John

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOSnJ1AAoJEORPgBbTYw+Jv2YQAKrJ9UHW7G2EGrh1SOick/qf
RQVqMo+f6VEPevc/tbaJhy/GYTexk96m66T4d2s2JRfJO4rVxLfDCvYJDop5xNJB
goJnN5+RxXe5SdVFAweIrLn6x1H2nLXnyIOk/cVgXSlPP4z8LTmC6E26JauM9+ld
XA/70etx/hD9FvorJhveDddCou/XK626ttBoDQRniTm/dOfCJRtMonk7vhXwLDZg
oWBEjTQ3g2WtDwkm+8QOOVmgkapAd0NfIsEYCzmqCL10sQSOT2NZVWku9q7PhnfC
IV4iNPqQtiCLA8WHzAaAKSiFTfW5qZsMmeAJL32x77VwxZeNznonDyGlonVlcCMx
cI5vY+4LKH3LloDiOLTls9rMlRWHedmtp9fTh45T0cISW0D756D685tOy7LWf/JI
wdaTbH9KarCzB29VAEFnzIpGxuimUefbUpDNx4lj6rKGE60QcQBQu0JWlws9Uysp
wuzpXTZ3oOZc7C1MMb5zD6K8oI/eM1VKSp7Vw96wJ8wUgTw1wPCRIpYw864EReu/
ziVceQCGkS+qR3B7OzOin4ibEH2EeP4trSsZnaFOm+XemsFtSdXR2r0yxVGlT5a8
+ZLfzpNFDujo1NVDVgBNyCmOk5CSVMISrUgG8dLysSdxX07nEGNrUXILU/mXBQUy
sJge1cSXVDSPbJZwK56e
=POzj
-----END PGP SIGNATURE-----

Index: [thread] [date] [author] [stats]