From 85defcf0e9e4187107b8a1a5138ef9590ac3892c Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Tue, 15 May 2018 19:04:34 -0400 Subject: [PATCH] Don't open spool data-files which are symlinks --- doc/doc-txt/ChangeLog | 3 +++ src/src/spool_in.c | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d9b77804b..d99b2684a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -29,6 +29,9 @@ JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage add more error-checking on spoolfile handling while that code is being messed with. +PP/01 Refuse to open a spool data file (*-D) if it's a symlink. + No known attacks, no CVE, this is defensive hardening. + Exim version 4.91 ----------------- diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 33890c516..cd74d1ee7 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -57,9 +57,17 @@ for (i = 0; i < 2; i++) fname = spool_fname(US"input", message_subdir, id, US"-D"); DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname); + /* We protect against symlink attacks both in not propagating the + * file-descriptor to other processes as we exec, and also ensuring that we + * don't even open symlinks. + * No -D file inside the spool area should be a symlink. + */ if ((fd = Uopen(fname, #ifdef O_CLOEXEC O_CLOEXEC | +#endif +#ifdef O_NOFOLLOW + O_NOFOLLOW | #endif O_RDWR | O_APPEND, 0)) >= 0) break; -- 2.25.1