From nobody@FreeBSD.org  Thu Jun 24 02:16:20 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 757BE106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 Jun 2010 02:16:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 64CFB8FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 Jun 2010 02:16:20 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o5O2GJLD032820
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 Jun 2010 02:16:19 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o5O2GJqL032819;
	Thu, 24 Jun 2010 02:16:19 GMT
	(envelope-from nobody)
Message-Id: <201006240216.o5O2GJqL032819@www.freebsd.org>
Date: Thu, 24 Jun 2010 02:16:19 GMT
From: Kazuo Dohzono <dohzono@axion-software.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [INFO] patch available for emacs movemail vulnerability. 
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         148099
>Category:       ports
>Synopsis:       editors/emacs22: patch available for emacs movemail vulnerability.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ashish
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 24 02:20:01 UTC 2010
>Closed-Date:    
>Last-Modified:  Wed Jul 14 00:06:37 UTC 2010
>Originator:     Kazuo Dohzono
>Release:        8.0-RELEASE
>Organization:
Axion Software Inc.
>Environment:
>Description:
portaudit -aF reports a vulnerability below:

| Affected package: emacs-22.3_4,1
| Type of problem: emacs -- movemail symlink race condition.
| Reference: <http://portaudit.FreeBSD.org/f6b6beaa-4e0e-11df-83fb-0015587e2cc1.html>

and there seems to be a patch here. 

http://launchpadlibrarian.net/41882940/movemail.patch

discusses at here. 

https://bugs.launchpad.net/ubuntu/+bug/531569

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- emacs22-22.2/lib-src/movemail.c.orig	2010-03-03 16:44:40.000000000 -0500
+++ emacs22-22.2/lib-src/movemail.c	2010-03-24 18:07:49.000000000 -0400
@@ -177,6 +177,10 @@
   int nread;
   WAITTYPE status;
   int c, preserve_mail = 0;
+  uid_t real_gid, priv_gid;
+
+  real_gid = getgid();
+  priv_gid = getegid();
 
 #ifndef MAIL_USE_SYSTEM_LOCK
   struct stat st;
@@ -248,25 +252,6 @@
   if (*outname == 0)
     fatal ("Destination file name is empty", 0, 0);
 
-  /* Check access to output file.  */
-  if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0)
-    pfatal_with_name (outname);
-
-  /* Also check that outname's directory is writable to the real uid.  */
-  {
-    char *buf = (char *) xmalloc (strlen (outname) + 1);
-    char *p;
-    strcpy (buf, outname);
-    p = buf + strlen (buf);
-    while (p > buf && !IS_DIRECTORY_SEP (p[-1]))
-      *--p = 0;
-    if (p == buf)
-      *p++ = '.';
-    if (access (buf, W_OK) != 0)
-      pfatal_with_name (buf);
-    free (buf);
-  }
-
 #ifdef MAIL_USE_POP
   if (!strncmp (inname, "po:", 3))
     {
@@ -278,15 +263,12 @@
       exit (status);
     }
 
-  setuid (getuid ());
+  if ( setuid (getuid ()) < 0 )
+    fatal ("Failed to drop privileges", 0, 0);
+
 #endif /* MAIL_USE_POP */
 
 #ifndef DISABLE_DIRECT_ACCESS
-
-  /* Check access to input file.  */
-  if (access (inname, R_OK | W_OK) != 0)
-    pfatal_with_name (inname);
-
 #ifndef MAIL_USE_MMDF
 #ifndef MAIL_USE_SYSTEM_LOCK
 #ifdef MAIL_USE_MAILLOCK
@@ -373,7 +355,8 @@
       long touched_lock, now;
 #endif
 
-      setuid (getuid ());
+      if ( setuid (getuid ()) < 0 || setegid (real_gid) < 0 )
+        fatal("Failed to drop privileges", 0, 0);
 
 #ifndef MAIL_USE_MMDF
 #ifdef MAIL_USE_SYSTEM_LOCK
@@ -399,6 +382,9 @@
       if (outdesc < 0)
 	pfatal_with_name (outname);
 
+      if ( setegid(priv_gid) < 0 )
+        fatal("Failed to regain privileges", 0, 0);
+
       /* This label exists so we can retry locking
 	 after a delay, if it got EAGAIN or EBUSY.  */
     retry_lock:
@@ -499,6 +485,10 @@
       /* Check to make sure no errors before we zap the inbox.  */
       if (close (outdesc) != 0)
 	pfatal_and_delete (outname);
+    
+  /* Prevent symlink attacks truncating other users' mailboxes */
+  if ( setegid (real_gid) < 0 )
+    fatal("Failed to drop privileges", 0, 0);
 
 #ifdef MAIL_USE_SYSTEM_LOCK
       if (! preserve_mail)
@@ -506,7 +496,12 @@
 #if defined (STRIDE) || defined (XENIX)
 	  /* Stride, xenix have file locking, but no ftruncate.
 	     This mess will do. */
-	  close (open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666));
+    int indesc2 = open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666);
+    if ( indesc2 < 0 )
+      pfatal_with_name (inname) 
+
+	  close (indesc2);
+
 #else
 	  ftruncate (indesc, 0L);
 #endif /* STRIDE or XENIX */
@@ -532,6 +527,10 @@
 	    creat (inname, 0600);
 	}
 #endif /* not MAIL_USE_SYSTEM_LOCK */
+    
+    /* End of mailbox truncation */
+    if ( setegid(priv_gid) < 0 )
+      fatal("Failed to regain privileges", 0, 0);
 
 #ifdef MAIL_USE_MAILLOCK
       /* This has to occur in the child, i.e., in the process that


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ashish 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jul 14 00:05:56 UTC 2010 
Responsible-Changed-Why:  
Fix synopsis and assign. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148099 
>Unformatted:
