NetBSD Security Advisory 2022-003: Race condition in mail.local(8)

[NetBSD Security-Officer <security-officer%netbsd.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		 NetBSD Security Advisory 2022-003
		 =================================

Topic:		Race condition in mail.local(8)

Version:	NetBSD-current:		affected prior to 2022-05-17
		NetBSD 10:		not affected
		NetBSD 9*:		affected
		NetBSD 8*:		affected

Severity:	Local user may be able to own any file or append arbitrary
		data

Fixed:		NetBSD-current:		May 17, 2022
		NetBSD-9 branch:	May 17, 2022
		NetBSD-8 branch:	May 17, 2022

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A race condition exists in the mail.local(8) (/usr/libexec/mail.local)
program which is setuid root. That may be exploited in order to change
the ownership of or append arbitrary data to an arbitrary file.

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.

This was originally addressed in NetBSD-SA2016-006 and has been
assigned CVE-2016-6253. The fix proved inefficient and had to
be fixed again, which is the reason for this new advisory.


Technical Details
=================

The user mailbox (typically /var/mail/$USER) which is used to deliver a
message, is checked using lstat(2) to verify that the file is not a symlink.
Then if the file is not a symlink, it's opened. If the file does not
exist, it is created with another open(2) call. There is a tiny window
between the two open calls in which the attacker could symlink it
to a arbitrary file, and the mail.local program then would chown
the file the symlink points to.


Solutions and Workarounds
=========================

Potential workaround is to remove /usr/libexec/mail.local, if you use
postfix(1) as the only way of delivering mails. mail.local(8) program was used
by sendmail(8) which is no longer shipped with the NetBSD (currently
postfix(1) is used as a default MTA). mail.local(8) dependency should be
checked manually in case of other MTAs).

To apply a fixed version from a releng build, fetch a fitting
base.{tgz,tar.xz} from nycdn.NetBSD.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz libexec/mail.local

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. %DATE%* and later will fit
ARCH  = your system's architecture


The following instructions describe how to upgrade your mail.local(8)
binaries by updating your source tree and rebuilding and
installing a new version of mail.local(8).



* NetBSD-current:

        Systems running NetBSD-current dated from before 2022-05-18
        should be upgraded to NetBSD-current dated 2022-05-18 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                src/libexec/mail.local

        To update from CVS, re-build, and re-install mail.local(8):
                # cd src
                # cvs update -d -P libexec/mail.local
                # cd libexec/mail.local
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 8.* or 9.*:

        Systems running NetBSD 8.* or 9.*  sources dated from before
        2022-05-18 should be upgraded from NetBSD 8.* or 9.* sources dated
        2022-05-18 or later.

        The following files/directories need to be updated from the
        netbsd-8 or netbsd-9 branches:
                src/libexec/mail.local

        To update from CVS, re-build, and re-install mail.local(8):

                # cd src
                # cvs update -r <branch_name> -d -P libexec/mail.local
                # cd libexec/mail.local
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========

Jan Schaumann for pointing out the ineffectiveness of the original 2016-07-19
fix.


Revision History
================

	2022-10-04	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-003.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/


Copyright 2022, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2022-003.txt,v 1.1 2022/10/04 13:48:16 christos Exp $

-----BEGIN PGP SIGNATURE-----

iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmM8OaEcHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J//cKD/9u06K8UJCYh+w2ax0p
csmLj+vy62LqaaDQTbsDhqNB0zwDJsxKSqEsguP6zZhJqoQ+dUTLr8gHzyij7ARq
R02AXntyThpzPkTO61yklcKANzRdf9jQjJ/N6MzsqcFxP0xbtE48G4oDDDYNU7nn
eVQ0nI6XnaozZtyITJ5AQh7jUEzf0RHtfmE1mzuID41HM1rctow0n9ubmpoD3rq/
mwtfNFeRh5jyrCQtHKXMlly9M7kGFT1ZldKO2HHP3NHH1c3stCZ1Qj6jdm0mKXih
fgRFRs8hwl37qn1jxMTFd0/G7tsz5ox3/7LccxS181S2kghQ3q5F4bz2hO8GWL0d
C36VQj3ySmsECnSSjt709y6venTMCcmdERvOGjXNVtU2OYBuikzT8RQl1iNBMt4l
iBVh2/PtkvdAu1Yx9VVDbA+HLQj1ZNnr9ai2qckFOF2vHeAffHD9WeI4qINRhvJ5
pzgKikKHWKKID2crDsH0CxGVLq8RzU8a71+JrN3PSbaoXQT7kFsWMvXWWJrsmpVK
vNCqnYD1+hZgHvGidxiBFSog9rHJRzAebTISs+In+rlsL4SigrLOq5ZoD1bFLu0s
CCVKTIT2upWzri19+rz+SxkKobCSGLHVDruwc1nCm9pHP/00WRSuIjHWnHWRqTKi
xGDmiSbukLlLhq9ul+Zb3pI2KA==
=Swxd
-----END PGP SIGNATURE-----