bogofilter contrib/bogopass temp file vulnerability

From: Matthias Andree (matthias.andree@gmx.de)
Date: 11/29/02


Date: Fri, 29 Nov 2002 03:36:37 +0100
From: Matthias Andree <matthias.andree@gmx.de>
To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com, bogofilter@aotto.com

bogofilter-SA-2002:01.bogopass

Topic: vulnerability in bogopass

Announcement: bogofilter-SA-2002:01
Writer: Matthias Andree
Version: 1.00
Announced: 2002-11-29
Category: contrib
Type: temporary file created insecurely
Impact: anonymous local file destruction or change
Credits: -
Danger: medium (the vulnerable version was replaced after 6
                        hours, the vulnerable program is not installed
                        by default)

Affects: bogofilter 0.9.0.4 (beta version)

Not affected: bogofilter 0.9.0.3 and before
                bogofilter 0.9.0.5 and newer

Default install: unaffected.

Introduced: 2002-11-27 23:04:28 UTC (CVS)
                2002-11-27 23:11 bogofilter 0.9.0.4 released

Corrected: 2002-11-28 01:19:04 UTC (CVS) - disabled original version
                2002-11-28 03:32:47 UTC (CVS) - committed corrected version
                2002-11-28 04:26 bogofilter 0.9.0.5 released

0. Release history

2002-11-28 1.00 initial announcement

1. Background

Bogofilter is a software package to determine if a mail on its standard
input is spam or not.

2. Problem description

A vulnerability was found in the contrib/bogopass Perl program that was
added to bogofilter as of the 0.9.0.4 beta release (date: 2002-11-27
23:04:28 UTC in CVS) with bogofilter, but is not installed by default.

The bogopass program creates temporary files with the name
/tmp/bogopass.$$, where $$ is the process ID, with the open FH, ">file"
syntax of Perl, which uses O_TRUNC mode, not O_EXCL.

3. Impact

This vulnerability allows for anonymous file destruction or change, and
might be abused to further escalate the privileges of the local
attacker.

If bogopass is run by the root user, this may eventually lead to a
complete system compromise.

4. Workaround

Do not install or use the "bogopass" program that shipped with the
vulnerable versions (see above) of bogofilter.

5. Solution

Upgrade your bogofilter to version 0.9.0.5 beta, and reinstall the
bogopass program. Make sure you delete all copies of the old version of
bogopass.

bogofilter 0.9.0.5 is available from sourceforge:

http://sourceforge.net/project/showfiles.php?group_id=62265&release_id=118794

6. Solution details

revision 1.3
date: 2002/11/28 03:32:47; author: m-a; state: Exp; lines: +67 -26

7. Other hints

Software that treats user input should not run as root if it can be
avoided. When installing bogofilter for system-wide use, make sure that
it runs as an unprivileged user to limit the impact of possible
vulnerabilities.

A. References

bogofilter home page: http://bogofilter.sourceforge.net/



Relevant Pages

  • Re: Hardy Herron probs?
    ... This is included by default in Hardy Heron. ... It seems as if bogofilter is doing something with ... Before I did the fresh install, I copied everything I wanted to save to ... dvd's, I have 2 dvd combo drives both LG, ...
    (Ubuntu)
  • [UNIX] Bogofilter Contrib/Bogopass Temp File Vulnerability
    ... Bogofilter is a software package to ... A vulnerability was found in the contrib/bogopass Perl program that was ... The bogopass program creates temporary files with the name ...
    (Securiteam)
  • Re: Why Doesnt Evolution Filter Spam?
    ... bite people who upgraded from earlier Fedora versions. ... have BF as the default spam filter. ... On my Ubuntu box it doesn't install into the menu system (that I ... I have "folders" for bogofilter and sa. ...
    (Fedora)
  • bogofilter contrib/bogopass temp file vulnerability
    ... Default install: unaffected. ... Bogofilter is a software package to determine if a mail on its standard ... The bogopass program creates temporary files with the name ...
    (Bugtraq)
  • Re: Spam and Viruses, Vandalism-l, the Mailing List from Hell.
    ... Bogofilter is excellent at helping sort messages in ... One category of junkmail, however, is not true spam. ... I got antivirus-milter to make and install but it ... Once you have the av product installed, edit the conf file appropriately and you should be up and running. ...
    (freebsd-questions)