TUCoPS :: HP Unsorted M :: bu-2100.htm

Multiple vulnerabilities in Deliver
Multiple vulnerabilities in Deliver
Multiple vulnerabilities in Deliver

==================================A0Deliver, multiple vulnerabilites
=A0March 24, 2010
Deliver (http://deliver.sourceforge.net/), a mail delivery program 
installed suid
root as /usr/bin/deliver, is vulnerable to several race conditions that can be
exploited by a local attacker using symbolic links.=A0 On systems using Deliver
over NFS, these attacks can result in gaining root privileges via
taking ownership
of critical system files.=A0 On other systems, these attacks can result in
denial-of-service conditions and information disclosure.=A0 In addition, users can
deny service to other users by creating lockfiles for other users' mailboxes.

Users are advised to discontinue use of Deliver in the absence of a patch or
new release from the developer.

These vulnerabilities were discovered by Dan Rosenberg

1/14/10 - Vulnerabilities discovered
1/27/10 - Developer notified
1/27/10 - Developer response, fix planned
3/20/10 - Fix deadlines repeatedly passed, disclosure date set at 3/24/10
3/24/10 - Disclosure

CVE identifier CVE-2010-0439 has been assigned to these issues.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH