Procmail insecure signal handling functions race condition

procmail-signal-handling-race (6872) The risk level is classified as MediumMedium Risk

Description:

Procmail is vulnerable to a race condition that could allow a local attacker to cause a heap corruption. This is caused by signal handlers in Procmail failing to properly call the library functions. A local attacker can use this vulnerability to exploit race conditions within Procmail and cause a heap corruption to gain elevated privileges.

Platforms Affected:

  • Conectiva, Linux 5.0
  • Conectiva, Linux 5.1
  • Conectiva, Linux 6.0
  • Conectiva, Linux 7.0
  • Conectiva, Linux ecommerce
  • Conectiva, Linux prg_graficos
  • Debian, Debian Linux 2.2
  • FreeBSD, FreeBSD Ports Collection
  • MandrakeSoft, Mandrake Linux 7.1
  • MandrakeSoft, Mandrake Linux 7.2
  • MandrakeSoft, Mandrake Linux 8.0
  • MandrakeSoft, Mandrake Linux 8.1
  • MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
  • MandrakeSoft, Mandrake Single Network Firewall 7.2
  • Philip Guenther, procmail
  • RedHat, Linux 5.2
  • RedHat, Linux 6.2
  • RedHat, Linux 7
  • RedHat, Linux 7.1
  • RedHat, Linux 7.2
  • RedHat, Linux 7.3

Remedy:

For Red Hat Linux 5.2:
Upgrade to the latest version of Procmail (3.21-0.52 or later), as listed in RHSA-2001:093-03. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of Procmail (3.21-0.62 or later), as listed in RHSA-2001:093-03. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest version of Procmail (3.21-0.71 or later), as listed in RHSA-2001:093-03. See References.

For FreeBSD:
Upgrade to the latest version of Procmail (3.21 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:60. See References.

For Debian GNU/Linux 2.2:
Upgrade to the latest version of Procmail (3.15.2 or later), as listed in DSA 083-1. See References.

For Conectiva Linux 5.0, prg graficos, and ecommerce:
Upgrade to the latest version of Procmail (3.22-1U50 or later), as listed in Conectiva Linux Security Announcement CLA-2001:433. See References.

For Conectiva Linux 5.1:
Upgrade to the latest version of Procmail (3.22-1U51 or later), as listed in Conectiva Linux Security Announcement CLA-2001:433. See References.

For Conectiva Linux 6.0:
Upgrade to the latest version of Procmail (3.22-1U60 or later), as listed in Conectiva Linux Security Announcement CLA-2001:433. See References.

For Conectiva Linux 7.0:M
Upgrade to the latest version of Procmail (3.22-1U70 or later), as listed in Conectiva Linux Security Announcement CLA-2001:433. See References.

For Mandrake Linux 7.1 and Corporate Server 1.0.1:
Upgrade to the latest version of Procmail (3.15.2-1.4mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:085 : procmail. See References.

For Mandrake Linux 7.2 and Single Network Firewall 7.2:
Upgrade to the latest version of Procmail (3.15.2-1.3mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:085 : procmail. See References.

For Mandrake Linux 8.0:
Upgrade to the latest version of Procmail (3.15.2-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:085 : procmail. See References.

For Mandrake Linux 8.1:
Upgrade to the latest version of Procmail (3.22-1.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:085 : procmail. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

Reported:

Jul 13, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page