Vulnerability Development mailing list archives

Re: bug in procmail (ver 3.14 maybe others?)

From: Philip Guenther <guenther () sendmail com>
Date: Sun, 24 Feb 2002 11:18:18 -0800

Ehud Tenenbaum <analyzer () 2xss com> writes:

Philip Guenther wrote:

...

(As a (long) side note: the only way I know to send a SIGALRM to a
setuid process is to exec it directly, leaving an alarm pending past the
exec, and even then new enough OSes don't even allow that.  It worked
under gdb because tracing disables setuid execution, but otherwise I
don't know how you would do it.  You can send 'tty signals' (INT, QUIT,
TSTP, HUP, WINCH, INFO) to setuid processes if it's in one of your
sessions.  That extends to some other signals (KILL and STOP), at least
some of the time, but I don't see how to arbitrarly send other signals
to setuid processes.)


On the other hand I disagree with you on this one, sigalrm is occur when
using alarm() in a program and therefor can be reproduced even without
the tracing (that how BOS found it in the first place) this has nothing
to do with gdb.


When a setuid process gets SIGALRM because it called alarm(), that isn't
'arbitrary'.  That's expected and (presumably) planned for: if a program
crashes from its own alarm() call, then it's simply a bug.  Perhaps it
would have been clearer if I had said that I don't see how to send an
arbitrary and _unexpected_ signal to a setuid process.  When I try to do
so under OpenBSD, I get EPERM errors.

<pause>

Ick, I see that this is an area where OpenBSD is more paranoid than
others, as both FreeBSD 4.2 and Linux 2.2.17 allow you to send more than
just tty signals to setuid processes in your session.  Seems like a bug
to me, but one we'll have to live with a goodly while.  Ah well, yet
another thing to audit in user programs.


As for procmail crashing from the SIGALRM it sent itself with alarm(),
you should upgrade to 3.15.2 and see if the problem is gone: versions
before then definitely could be made to do unsafe things in signals
handlers.  I'll fix for the next version the "lastexec==NULL in
ftimeout()" problem you pointed out so that procmail won't crash when
sent unexpected SIGALRM; if you find other problems in 3.15.2, please
email them to <bug () procmail org>.  Ditto for 3.22, though you should
probably wait til 3.23, to be released Real Soon Now, before spending
time banging on it.


Philip Guenther
Procmail Maintainer

Current thread:

bug in procmail (ver 3.14 maybe others?) Ehud Tenenbaum (Feb 23)
- <Possible follow-ups>
- re: bug in procmail (ver 3.14 maybe others?) Philip Guenther (Feb 24)
  - Message not available
    - Re: bug in procmail (ver 3.14 maybe others?) Philip Guenther (Feb 24)
    - Message not available
    - Re: bug in procmail (ver 3.14 maybe others?) Philip Guenther (Feb 25)
  - Re: bug in procmail (ver 3.14 maybe others?) Valdis . Kletnieks (Feb 25)