Re: CVE id request: maildrop

[Steffen Joeris <steffen.joeris () skolelinux de>]

Hi Josh

On Thu, 28 Jan 2010 01:53:41 pm Josh Bressers wrote:
> ----- "Steffen Joeris" <steffen.joeris () skolelinux de> wrote:
> > Could I please get a CVE id for this privilege escalation bug[0] in
> > maildrop?
> >
> > Cheers
> > Steffen
> >
> > [0]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601
>
> Can you sum this up in a few sentences? I'm having a horrible time
> following that bug.

From the DSA text:

Christoph Anton Mitterer discovered that maildrop, a mail delivery agent
with filtering abilities, is prone to a privilege escalation issue that
grants a user root group privileges.


The issue occurs when invoking maildrop -d, which keeps the root group 
privileges on the mailbox rather than changing them to the users gid.

Cheers
Steffen

Attachment: signature.asc
Description: This is a digitally signed message part.