John Lightsey
2011-Aug-16 13:27 UTC
[Secure-testing-team] Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c
Package: masqmail Version: 0.2.21-4 Severity: critical Tags: security Justification: root security hole Reporting publicly since this has already been disclosed on the masqmail list. In src/log.c there are two logging functions that use this logic: uid_t saved_uid; saved_uid = seteuid(conf.mail_uid); ....write to a log file... seteuid(saved_uid); The first seteuid() call here isn''t returning the previous EUID, it''s returning 0 on success and -1 on failure. The net result should be that any time masqmail writes to the log, it''s resetting the EUID to root. This would undo the effect of other code in masqmail that drops root privileges. The most recent upstream version of masqmail (0.3.2) contains identical code to the version I audited (Debian stable''s version 0.2.27). Per information provided by the upstream author, src/masqmail.c contains additional code with the same type of flaw. -- System Information: Debian Release: 6.0.2 APT prefers stable APT policy: (500, ''stable'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash