Author: neilm Date: 2005-09-03 14:46:03 +0000 (Sat, 03 Sep 2005) New Revision: 1797 Added: data/DTSA/advs/11-maildrop.adv Log: Last .adv Added: data/DTSA/advs/11-maildrop.adv ==================================================================--- data/DTSA/advs/11-maildrop.adv 2005-09-03 14:41:30 UTC (rev 1796) +++ data/DTSA/advs/11-maildrop.adv 2005-09-03 14:46:03 UTC (rev 1797) @@ -0,0 +1,17 @@ +dtsa: DTSA-11-1 +source: maildrop +date: August 29th, 2005 +author: Andres Salomon +vuln-type: local privilege escalation +problem-scope: local +debian-specific: yes +cve: CAN-2005-2655 +testing-fix: 1.5.3-1.1etch1 +sid-fix: 1.5.3-2 + +The lockmail binary shipped with maildrop allows for an attacker to +obtain an effective gid as group "mail". Debian ships the binary with its +setgid bit set, but the program does not drop privileges when run. It takes +an argument that is executed, and since it does not drop privileges, an +attacker can execute an arbitrary command with an effective gid of the "mail" +group.