[Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Mon Dec 8 15:00:27 GMT 2008

Send me mail from a badly setup domain, and you better not be surprised 
when I don't accept it. The RFC makes it very clear that MX records can 
only point to A records and not to CNAME records.
Get your DNS fixed and I will happily accept your mail.
:-)

On 3/12/08 22:46, Simon Walter wrote:
> Hi,
>
> I send this through the mailinglist because I can't send it to
> Julian directly because of the following:
>
>   mailscanner at ecs.soton.ac.uk
>      SMTP error from remote mail server after MAIL FROM:<simon.walter at hp-factory.de>:
>      host mx.ecs.soton.ac.uk [152.78.68.137]: 553 5.1.8 sender<simon.walter at hp-factory.de>  from hp-factory.de MX invalid #439 (kB2Lcm295123146500)
>
> I don't know what's causing this...
>
> Anyway, here is the mail in which some of you should be interested too.
>
> -------------------- Start of forwarded message --------------------
> To: Mark Purcell<msp at debian.org>
> Cc: 506353 at bugs.debian.org,  Raphael Geissert<atomo64 at gmail.com>, mailscanner at ecs.soton.ac.uk
> BCC: control at bugs.debian.org
> Subject: Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks
> X-Draft-From: ("nnml:debian.bugs" 284)
> References:<200811201524.52353.atomo64 at gmail.com>
> 	<200812032338.02957.msp at debian.org>
> From: Simon Walter<simon.walter at hp-factory.de>
> Date: Wed, 03 Dec 2008 22:28:09 +0100
> In-Reply-To:<200812032338.02957.msp at debian.org>  (Mark Purcell's message of "Wed\, 3 Dec 2008 23\:38\:02 +1100")
> Message-ID:<877i6hhrti.fsf at hp-factory.de>
> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
> Lines: 51
> Xref: tharlab others.sent:737
>
>
> package mailscanner
> tags 506353 help upstream confirmed
> thanks
>
> Hello,
>
> Mark Purcell<msp at debian.org>  writes:
>    
>> On Friday 21 November 2008 08:24:46 Raphael Geissert wrote:
>>      
>>> I'm using severity grave as this package should definitely not be shipped
>>> in any release as is.
>>>        
>> Simon,
>>
>> This RC bug was reported almost two weeks ago without any comment from you.
>>
>> Are you in a position to investigate and propose a way forward for your
>> package in lenny?
>>      
>
> I have looked at the code-segments Raphael pointed out and I'm totally
> agree with him. In the current state the package should not be part of
> the lenny release.
>
> I'm in no position to fix all this. I'm not familiar enough with the
> MailScanner sourcecode and I'm not able to test the changes I would
> have to make, in particular to all the virusscanner scripts.
>
>
> I have put Julian Field (upstream author) in CC to inform him about
> all this. (@Julian: the full bugreport is here [1])
>
> If he is willing and able to fix the problems in a feature
> release before lenny is released I will try to backport the fixes to
> the current package in lenny.
>
>
> Otherwise this package should be removed.
>
>
> I'm also wondering why [2] marks CVE-2008-5140 as fixed for
> sid+lenny. It claims the bug was fix with 4.57.6-1, but there is no
> difference between 4.55.10-3 and 4.57.6-1.
>
> Sorry for the late reply.
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.