From: Nigel Metheringham Date: Wed, 26 May 2010 12:26:00 +0000 (+0000) Subject: Prevent hardlink attack on mbox sticky mail directory. fixes: bug #988 X-Git-Tag: exim-4_72_RC1~1 X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=a466095c0f9c7f48b1c9f857b5a17cab69fecd28;p=exim.git Prevent hardlink attack on mbox sticky mail directory. fixes: bug #988 --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 1c1a81b70..1f86a569d 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.607 2010/03/23 14:06:48 jetmore Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.608 2010/05/26 12:26:00 nm4 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -25,6 +25,9 @@ NM/05 Bugzilla 671: Added umask to procmail example. JJ/03 installed exipick 20100323.0, fixing doc bug +NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail + directory. Notification and patch from Dan Rosenberg + Exim version 4.71 ----------------- diff --git a/src/src/transports/appendfile.c b/src/src/transports/appendfile.c index df2ce1cd8..984f2d7d6 100644 --- a/src/src/transports/appendfile.c +++ b/src/src/transports/appendfile.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/transports/appendfile.c,v 1.24 2009/11/16 19:50:39 nm4 Exp $ */ +/* $Cambridge: exim/src/src/transports/appendfile.c,v 1.25 2010/05/26 12:26:01 nm4 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -1806,6 +1806,18 @@ if (!isdirectory) goto RETURN; } + /* Just in case this is a sticky-bit mail directory, we don't want + users to be able to create hard links to other users' files. */ + + if (statbuf.st_nlink != 1) + { + addr->basic_errno = ERRNO_NOTREGULAR; + addr->message = string_sprintf("mailbox %s%s has too many links (%d)", + filename, islink? " (symlink)" : "", statbuf.st_nlink); + goto RETURN; + + } + /* If symlinks are permitted (not recommended), the lstat() above will have found the symlink. Its ownership has just been checked; go round the loop again, using stat() instead of lstat(). That will never yield a