-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		 NetBSD Security Advisory 2022-003
		 =================================

Topic:		Race condition in mail.local(8)

Version:	NetBSD-current:		affected prior to 2022-05-17
		NetBSD 10:		not affected
		NetBSD 9.*:		affected
		NetBSD 8.*:		affected

Severity:	Local user may be able to own any file or append arbitrary
		data

Fixed:		NetBSD-current:		May 17, 2022
		NetBSD-9 branch:	May 17, 2022
		NetBSD-8 branch:	May 17, 2022

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A race condition exists in the mail.local(8) (/usr/libexec/mail.local)
program which is setuid root. That may be exploited in order to change
the ownership of or append arbitrary data to an arbitrary file.

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.

This was originally addressed in NetBSD-SA2016-006 and has been
assigned CVE-2016-6253. The fix proved inefficient and had to
be fixed again, which is the reason for this new advisory.


Technical Details
=================

The user mailbox (typically /var/mail/$USER) which is used to deliver a
message, is checked using lstat(2) to verify that the file is not a symlink.
Then if the file is not a symlink, it's opened. If the file does not
exist, it is created with another open(2) call. There is a tiny window
between the two open calls in which the attacker could symlink it
to a arbitrary file, and the mail.local program then would chown
the file the symlink points to.


Solutions and Workarounds
=========================

Potential workaround is to remove /usr/libexec/mail.local, if you use
postfix(1) as the only way of delivering mails. mail.local(8) program was used
by sendmail(8) which is no longer shipped with the NetBSD (currently
postfix(1) is used as a default MTA). mail.local(8) dependency should be
checked manually in case of other MTAs).

To apply a fixed version from a releng build, fetch a fitting
base.{tgz,tar.xz} from nycdn.NetBSD.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz libexec/mail.local

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. %DATE%* and later will fit
ARCH  = your system's architecture


The following instructions describe how to upgrade your mail.local(8)
binaries by updating your source tree and rebuilding and
installing a new version of mail.local(8).



* NetBSD-current:

        Systems running NetBSD-current dated from before 2022-05-18
        should be upgraded to NetBSD-current dated 2022-05-18 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                src/libexec/mail.local

        To update from CVS, re-build, and re-install mail.local(8):
                # cd src
                # cvs update -d -P libexec/mail.local
                # cd libexec/mail.local
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 8.* or 9.*:

        Systems running NetBSD 8.* or 9.*  sources dated from before
        2022-05-18 should be upgraded from NetBSD 8.* or 9.* sources dated
        2022-05-18 or later.

        The following files/directories need to be updated from the
        netbsd-8 or netbsd-9 branches:
                src/libexec/mail.local

        To update from CVS, re-build, and re-install mail.local(8):

                # cd src
                # cvs update -r <branch_name> -d -P libexec/mail.local
                # cd libexec/mail.local
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========

Jan Schaumann for pointing out the ineffectiveness of the original 2016-07-19
fix.


Revision History
================

	2022-10-04	Initial release
	2022-10-08	Mention all branches affected


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-003.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/


Copyright 2022, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2022-003.txt,v 1.2 2022/10/08 13:28:21 christos Exp $

-----BEGIN PGP SIGNATURE-----

iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmNBe0scHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/8ArEACkpb+MITxIWyjW8ny2
8+5963s7RUy2C3hH0SEkMdxt072kieo0aZVJox77USKYCrw3Bp0g0tYtAEQ1bqqL
+y37lN3vRS5XsLs3X7x+/m3jdryVkLgLY/QQOoga676uTxYt2ql3kWcQYfMU0uLf
Sif+0jmes/2h4npAOUO9U1t21MtEnal+YnIP0q6P7gx+sWaljXX0lmAsPGG8Jiil
XXi88ZdvmyTLUOtXC2Jj/LOov/6p7OPnVjFKZh+c13rGC0BiwqAlmcoVh25G4afB
2WpCEn40cQnrYYfxhICzgOJs5XHsC06EQLfUdSO8PmkNk3wGOFUoRoDDz1cPFp2i
l1J4rcDBhpHJIrj0Twanza3UiA90jseQtG0Kuvl9v8RVN7r4iqeWybI9/kJuzyEK
oweCGHmYTb/4TWxKSI3y/ys7rCj0dzqbQXbcmAYRKpH4jH2oz+OBz+F3noqX+yiv
HvONB9lin8Xd2Wu8qoNXRjt6mPgOhUnX2w0V1lfdCexqjpP5pO/C9erXyYbS8CIy
DAfX3BUMTcyTEuJY/1/+TgYTvPPRfkFR3GgniIBuGycqKOB9uARHgi2K5/eneDUq
kNX61BpAzZHww9VmRSYY/jdNBHt5H42qGKZZpKCDJyOZsUcgtcTxPDwGT18o9XMQ
idQLJA1V3/1ZNZ9r+USUTdTAvQ==
=hwbs
-----END PGP SIGNATURE-----