-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2016-006 ================================= Topic: Race condition in mail.local(8) Version: NetBSD-current: affected prior to 2016-07-19 NetBSD 7.0 - 7.0.1: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Local user may be able to own any file or append arbitrary data Fixed: NetBSD-current: 2016-07-19 NetBSD-7 branch: 2016-07-19 NetBSD-7-0 branch: 2016-07-19 NetBSD-6 branch: 2016-07-19 NetBSD-6-1 branch: 2016-07-19 NetBSD-6-0 branch: 2016-07-19 Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A race condition exists in the mail.local(8) (/usr/libexec/mail.local) program which is setuid root. That may be exploited in order to change the ownership of or append arbitrary data to an arbitrary file. A malicious local user may exploit the race condition to acquire write permissions to a critical system file, and leverage the situation to acquire escalated privileges. This vulnerability has been assigned CVE-2016-6253. Technical Details ================= The user mailbox (typically /var/mail/$USER) which is used to deliver a message, is checked using lstat(2) to verify that the file is not a symlink. Then if the file is not a symlink, it's opened. This is subject to a symlink race. An attacker has a window between the lstat(2) and open(2) calls during which she/he can create a symlink to an arbitrary file. The mail.local program then will append arbitrary data or change the ownership using fchown(2) to the file where the symlink points to. Solutions and Workarounds ========================= Potential workaround is to remove mail.local or turn off SUID bit from the file. This program was used by sendmail(8) which is no longer shipped with NetBSD (NetBSD uses postfix(1) as its MTA). Binary update of affected versions (root is required to extract): To apply a fixed version from a releng build, fetch a matching base.tgz from nyftp.netbsd.org and extract the fixed binaries: # cd /var/tmp # ftp http://nyftp.netbsd.org/pub/NetBSD-daily////binary/sets/base.tgz # cd / # tar xzpf /var/tmp/base.tgz ./usr/libexec/mail.local with the following replacements: = the release version you are using = the source date of the build. 20160719 and later will fit = your system's architecture The following instructions describe how to upgrade your mail.local(8) binaries by updating your source tree and rebuilding and installing a new version of mail.local(8). * NetBSD-current: Systems running NetBSD-current dated from before 2016-07-19 should be upgraded to NetBSD-current dated 2016-07-19 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 7.*: Systems running NetBSD 7.* sources dated from before 2016-07-19 should be upgraded from NetBSD 7.* sources dated 2016-07-19 or later. The following files/directories need to be updated from the netbsd-7, netbsd-7-0 branches: src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -r -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 6.*: Systems running NetBSD 6.* sources dated from before 2016-07-19 should be upgraded from NetBSD 6.* sources dated 2016-07-19 or later. The following files/directories need to be updated from the netbsd-6, netbsd-6-1 or netbsd-6-0 branches: src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -r -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Mateusz Kocielski who analyzed this problem and supplied the fixes. Coverity for providing the Coverity Scan project. Revision History ================ 2016-07-20 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA201X-NNN.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2016, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2016-006.txt.asc,v 1.1 2016/07/20 19:35:52 christos Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXj9JyAAoJEAZJc6xMSnBu+kEP/R38HaVHYQkppCI5yAP1VOAJ VdrupyCa0DRKDLBUrpO75SHykrK3z22NiBXlMlg1tyk1OOPQ3fSR7pGImoczTApX +kAjxxmHwON68MSRS3vjjE89Ldl8mSjhs4MLYHOnYF1VlaubPB/mrDhQARUm8lZX 9XuWi0rVC16B1pNSxP3CexzLyzRRtMO5Q/oQCtadBaFnUA0qg2LU6IE/WRIREVJU kZ4aqOUR57EzqkeLVqLDsh+ijAZMsEddnbF03RGxWM8Z2WtFSXTdNvM259SLj17R MV+i//FkTg84eTGDB1xxz+w8BR5hkxrY8ygRUl7mGw5jDlFlWeVp3b46HYSE00gn pTphTpz4WCVpKEbBnGKg8n2n0qw6Xs5b3BproOqLmV3YHxeBnTB2n2z9jBp0TY4J /djl8tfNuMGfN+Q8BvPShv//81iSUZ2fForQv2dsVc2vuE0ZhPnR3Hin2EBdjuAl 9alH3fYtDp6a8rVwbgO8xfr4r4n1OSRYiFMpyd7x4u9LnShVqMZnUWUigLU6WCMn CIkuxT5awQ543lQAR3BDqLO0hTAbaO42weOa79igz0f7qddH8WxnOublOENZ5FN5 dKNe2UC5GVr8L0P9O264EK3fqe2vmT5X9dZvA0Ma3SWodiFFoWRU1Yd7fmBWc2Ca SK8o8L/RjCkhzsKHGPNY =FW1+ -----END PGP SIGNATURE-----