[Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Alex Neuman van der Hans alex at rtpty.com
Mon Dec 8 23:15:50 GMT 2008


Reminds me of a biblical reference about something in one's eye... ;-)



On Dec 8, 2008, at 10:00 AM, Julian Field  
<MailScanner at ecs.soton.ac.uk> wrote:

> Send me mail from a badly setup domain, and you better not be  
> surprised when I don't accept it. The RFC makes it very clear that  
> MX records can only point to A records and not to CNAME records.
> Get your DNS fixed and I will happily accept your mail.
> :-)
>
> On 3/12/08 22:46, Simon Walter wrote:
>> Hi,
>>
>> I send this through the mailinglist because I can't send it to
>> Julian directly because of the following:
>>
>>  mailscanner at ecs.soton.ac.uk
>>     SMTP error from remote mail server after MAIL FROM:<simon.walter at hp-factory.de 
>> >:
>>     host mx.ecs.soton.ac.uk [152.78.68.137]: 553 5.1.8 sender<simon.walter at hp-factory.de 
>> >  from hp-factory.de MX invalid #439 (kB2Lcm295123146500)
>>
>> I don't know what's causing this...
>>
>> Anyway, here is the mail in which some of you should be interested  
>> too.
>>
>> -------------------- Start of forwarded message --------------------
>> To: Mark Purcell<msp at debian.org>
>> Cc: 506353 at bugs.debian.org,  Raphael Geissert<atomo64 at gmail.com>, mailscanner at ecs.soton.ac.uk
>> BCC: control at bugs.debian.org
>> Subject: Re: Bug#506353: mailscanner: many scripts allow local  
>> users to overwrite arbitrary files, and more, via symlink attacks
>> X-Draft-From: ("nnml:debian.bugs" 284)
>> References:<200811201524.52353.atomo64 at gmail.com>
>>    <200812032338.02957.msp at debian.org>
>> From: Simon Walter<simon.walter at hp-factory.de>
>> Date: Wed, 03 Dec 2008 22:28:09 +0100
>> In-Reply-To:<200812032338.02957.msp at debian.org>  (Mark Purcell's  
>> message of "Wed\, 3 Dec 2008 23\:38\:02 +1100")
>> Message-ID:<877i6hhrti.fsf at hp-factory.de>
>> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
>> Lines: 51
>> Xref: tharlab others.sent:737
>>
>>
>> package mailscanner
>> tags 506353 help upstream confirmed
>> thanks
>>
>> Hello,
>>
>> Mark Purcell<msp at debian.org>  writes:
>>
>>> On Friday 21 November 2008 08:24:46 Raphael Geissert wrote:
>>>
>>>> I'm using severity grave as this package should definitely not be  
>>>> shipped
>>>> in any release as is.
>>>>
>>> Simon,
>>>
>>> This RC bug was reported almost two weeks ago without any comment  
>>> from you.
>>>
>>> Are you in a position to investigate and propose a way forward for  
>>> your
>>> package in lenny?
>>>
>>
>> I have looked at the code-segments Raphael pointed out and I'm  
>> totally
>> agree with him. In the current state the package should not be part  
>> of
>> the lenny release.
>>
>> I'm in no position to fix all this. I'm not familiar enough with the
>> MailScanner sourcecode and I'm not able to test the changes I would
>> have to make, in particular to all the virusscanner scripts.
>>
>>
>> I have put Julian Field (upstream author) in CC to inform him about
>> all this. (@Julian: the full bugreport is here [1])
>>
>> If he is willing and able to fix the problems in a feature
>> release before lenny is released I will try to backport the fixes to
>> the current package in lenny.
>>
>>
>> Otherwise this package should be removed.
>>
>>
>> I'm also wondering why [2] marks CVE-2008-5140 as fixed for
>> sid+lenny. It claims the bug was fix with 4.57.6-1, but there is no
>> difference between 4.55.10-3 and 4.57.6-1.
>>
>> Sorry for the late reply.
>>
>>
>
> Jules
>
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!


More information about the MailScanner mailing list