-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This security announcement is kept for historic reasons. The software that was found to be vulnerable no longer ships with bogofilter. - ----------------------------------------------------------------------- bogofilter-SA-2002:01.bogopass Topic: vulnerability in bogopass Announcement: bogofilter-SA-2002:01 Writer: Matthias Andree Version: 1.00 Announced: 2002-11-29 Category: contrib Type: temporary file created insecurely Impact: anonymous local file destruction or change Credits: - Danger: medium (the vulnerable version was replaced after 6 hours, the vulnerable program is not installed by default) Bugtraq ID: 6278 URL: http://bogofilter.sourceforge.net/security/bogofilter-SA-2002-01 Affects: bogofilter 0.9.0.4 (beta version) Not affected: bogofilter 0.9.0.3 and before bogofilter 0.9.0.5 and newer Default install: unaffected. Introduced: 2002-11-27 23:04:28 UTC (CVS) 2002-11-27 23:11 bogofilter 0.9.0.4 released Corrected: 2002-11-28 01:19:04 UTC (CVS) - disabled original version 2002-11-28 03:32:47 UTC (CVS) - committed corrected version 2002-11-28 04:26 bogofilter 0.9.0.5 released 0. Release history 2002-11-28 1.00 initial announcement 2004-10-28 added Bugtraq ID 2004-10-30 added URL 1. Background Bogofilter is a software package to determine if a mail on its standard input is spam or not. 2. Problem description A vulnerability was found in the contrib/bogopass Perl program that was added to bogofilter as of the 0.9.0.4 beta release (date: 2002-11-27 23:04:28 UTC in CVS) with bogofilter, but is not installed by default. The bogopass program creates temporary files with the name /tmp/bogopass.$$, where $$ is the process ID, with the open FH, ">file" syntax of Perl, which uses O_TRUNC mode, not O_EXCL. 3. Impact This vulnerability allows for anonymous file destruction or change, and might be abused to further escalate the privileges of the local attacker. If bogopass is run by the root user, this may eventually lead to a complete system compromise. 4. Workaround Do not install or use the "bogopass" program that shipped with the vulnerable versions (see above) of bogofilter. 5. Solution Upgrade your bogofilter to version 0.9.0.5 beta, and reinstall the bogopass program. Make sure you delete all copies of the old version of bogopass. bogofilter 0.9.0.5 is available from sourceforge: http://sourceforge.net/project/showfiles.php?group_id=62265&release_id=118794 6. Solution details revision 1.3 date: 2002/11/28 03:32:47; author: m-a; state: Exp; lines: +67 -26 7. Other hints Software that treats user input should not run as root if it can be avoided. When installing bogofilter for system-wide use, make sure that it runs as an unprivileged user to limit the impact of possible vulnerabilities. A. References bogofilter home page: http://bogofilter.sourceforge.net/ B. License (C) Copyright 2002,2004 by Matthias Andree. Some rights reserved. This work is dual-licensed under the Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0), and the GNU General Public License, v3, or later. To view a copy of the Creative Commons Attribution-NoDerivs 3.0 Germany license, visit http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a letter to: Creative Commons 444 Castro Street Suite 900 MOUNTAIN VIEW, CALIFORNIA 94041 USA This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program, in the file ../gpl-3.0.txt. If not, see . THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlHYI0gACgkQvmGDOQUufZUMoQCfYWr/Hxis2E3oD+ARX7hijPKg GxoAnjujONBLoVtTg89bRa8LfHwFPscy =cEcX -----END PGP SIGNATURE-----