diff options
| author | Nigel Metheringham <nigel@exim.org> | 2010-05-26 12:26:00 +0000 |
|---|---|---|
| committer | Nigel Metheringham <nigel@exim.org> | 2010-05-26 12:26:00 +0000 |
| commit | a466095c0f9c7f48b1c9f857b5a17cab69fecd28 (patch) | |
| tree | e1b9518bf8d9a641d73ee176654d29cf016e4208 | |
| parent | 1a41defab20ca8a3472d9ba6cab57b40b2011a0a (diff) | |
Prevent hardlink attack on mbox sticky mail directory. fixes: bug #988
| -rw-r--r-- | doc/doc-txt/ChangeLog | 5 | ||||
| -rw-r--r-- | src/src/transports/appendfile.c | 14 |
2 files changed, 17 insertions, 2 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 1c1a81b70..1f86a569d 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.607 2010/03/23 14:06:48 jetmore Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.608 2010/05/26 12:26:00 nm4 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -25,6 +25,9 @@ NM/05 Bugzilla 671: Added umask to procmail example. JJ/03 installed exipick 20100323.0, fixing doc bug +NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail + directory. Notification and patch from Dan Rosenberg + Exim version 4.71 ----------------- diff --git a/src/src/transports/appendfile.c b/src/src/transports/appendfile.c index df2ce1cd8..984f2d7d6 100644 --- a/src/src/transports/appendfile.c +++ b/src/src/transports/appendfile.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/transports/appendfile.c,v 1.24 2009/11/16 19:50:39 nm4 Exp $ */ +/* $Cambridge: exim/src/src/transports/appendfile.c,v 1.25 2010/05/26 12:26:01 nm4 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -1806,6 +1806,18 @@ if (!isdirectory) goto RETURN; } + /* Just in case this is a sticky-bit mail directory, we don't want + users to be able to create hard links to other users' files. */ + + if (statbuf.st_nlink != 1) + { + addr->basic_errno = ERRNO_NOTREGULAR; + addr->message = string_sprintf("mailbox %s%s has too many links (%d)", + filename, islink? " (symlink)" : "", statbuf.st_nlink); + goto RETURN; + + } + /* If symlinks are permitted (not recommended), the lstat() above will have found the symlink. Its ownership has just been checked; go round the loop again, using stat() instead of lstat(). That will never yield a |