-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2022-003 ================================= Topic: Race condition in mail.local(8) Version: NetBSD-current: affected prior to 2022-05-17 NetBSD 10: not affected NetBSD 9.*: affected NetBSD 8.*: affected Severity: Local user may be able to own any file or append arbitrary data Fixed: NetBSD-current: May 17, 2022 NetBSD-9 branch: May 17, 2022 NetBSD-8 branch: May 17, 2022 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A race condition exists in the mail.local(8) (/usr/libexec/mail.local) program which is setuid root. That may be exploited in order to change the ownership of or append arbitrary data to an arbitrary file. A malicious local user may exploit the race condition to acquire write permissions to a critical system file, and leverage the situation to acquire escalated privileges. This was originally addressed in NetBSD-SA2016-006 and has been assigned CVE-2016-6253. The fix proved inefficient and had to be fixed again, which is the reason for this new advisory. Technical Details ================= The user mailbox (typically /var/mail/$USER) which is used to deliver a message, is checked using lstat(2) to verify that the file is not a symlink. Then if the file is not a symlink, it's opened. If the file does not exist, it is created with another open(2) call. There is a tiny window between the two open calls in which the attacker could symlink it to a arbitrary file, and the mail.local program then would chown the file the symlink points to. Solutions and Workarounds ========================= Potential workaround is to remove /usr/libexec/mail.local, if you use postfix(1) as the only way of delivering mails. mail.local(8) program was used by sendmail(8) which is no longer shipped with the NetBSD (currently postfix(1) is used as a default MTA). mail.local(8) dependency should be checked manually in case of other MTAs). To apply a fixed version from a releng build, fetch a fitting base.{tgz,tar.xz} from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz libexec/mail.local with the following replacements: REL = the release version you are using BUILD = the source date of the build. %DATE%* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your mail.local(8) binaries by updating your source tree and rebuilding and installing a new version of mail.local(8). * NetBSD-current: Systems running NetBSD-current dated from before 2022-05-18 should be upgraded to NetBSD-current dated 2022-05-18 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.* or 9.*: Systems running NetBSD 8.* or 9.* sources dated from before 2022-05-18 should be upgraded from NetBSD 8.* or 9.* sources dated 2022-05-18 or later. The following files/directories need to be updated from the netbsd-8 or netbsd-9 branches: src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -r -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Jan Schaumann for pointing out the ineffectiveness of the original 2016-07-19 fix. Revision History ================ 2022-10-04 Initial release 2022-10-08 Mention all branches affected More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-003.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2022-003.txt,v 1.2 2022/10/08 13:28:21 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmNBe0scHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/8ArEACkpb+MITxIWyjW8ny2 8+5963s7RUy2C3hH0SEkMdxt072kieo0aZVJox77USKYCrw3Bp0g0tYtAEQ1bqqL +y37lN3vRS5XsLs3X7x+/m3jdryVkLgLY/QQOoga676uTxYt2ql3kWcQYfMU0uLf Sif+0jmes/2h4npAOUO9U1t21MtEnal+YnIP0q6P7gx+sWaljXX0lmAsPGG8Jiil XXi88ZdvmyTLUOtXC2Jj/LOov/6p7OPnVjFKZh+c13rGC0BiwqAlmcoVh25G4afB 2WpCEn40cQnrYYfxhICzgOJs5XHsC06EQLfUdSO8PmkNk3wGOFUoRoDDz1cPFp2i l1J4rcDBhpHJIrj0Twanza3UiA90jseQtG0Kuvl9v8RVN7r4iqeWybI9/kJuzyEK oweCGHmYTb/4TWxKSI3y/ys7rCj0dzqbQXbcmAYRKpH4jH2oz+OBz+F3noqX+yiv HvONB9lin8Xd2Wu8qoNXRjt6mPgOhUnX2w0V1lfdCexqjpP5pO/C9erXyYbS8CIy DAfX3BUMTcyTEuJY/1/+TgYTvPPRfkFR3GgniIBuGycqKOB9uARHgi2K5/eneDUq kNX61BpAzZHww9VmRSYY/jdNBHt5H42qGKZZpKCDJyOZsUcgtcTxPDwGT18o9XMQ idQLJA1V3/1ZNZ9r+USUTdTAvQ== =hwbs -----END PGP SIGNATURE-----