Deliver 2.1.14 Multiple vulnerabilities

2010-03-29 / 2010-03-30
Credit: Dan Rosenberg
Risk: Medium
Local: Yes
Remote: No

================================== Deliver, multiple vulnerabilites March 24, 2010 CVE-2010-0439 ================================== ==Description== Deliver (http://deliver.sourceforge.net/), a mail delivery program installed suid root as /usr/bin/deliver, is vulnerable to several race conditions that can be exploited by a local attacker using symbolic links. On systems using Deliver over NFS, these attacks can result in gaining root privileges via taking ownership of critical system files. On other systems, these attacks can result in denial-of-service conditions and information disclosure. In addition, users can deny service to other users by creating lockfiles for other users' mailboxes. ==Solution== Users are advised to discontinue use of Deliver in the absence of a patch or new release from the developer. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg (at) gmail (dot) com [email concealed]). ==Timeline== 1/14/10 - Vulnerabilities discovered 1/27/10 - Developer notified 1/27/10 - Developer response, fix planned 3/20/10 - Fix deadlines repeatedly passed, disclosure date set at 3/24/10 3/24/10 - Disclosure ==References== CVE identifier CVE-2010-0439 has been assigned to these issues.

References:

http://www.securityfocus.com/bid/38924
http://www.securityfocus.com/archive/1/archive/1/510306/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top