1 files changed, 141 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-96:13.comsat.asc b/share/security/advisories/FreeBSD-SA-96:13.comsat.asc
new file mode 100644
index 0000000000..73699a140d
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-96:13.comsat.asc
@@ -0,0 +1,141 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+=============================================================================
+FreeBSD-SA-96:13					    Security Advisory
+						        	FreeBSD, Inc.
+
+Topic:		unauthorized mail reading via comsat
+
+Category:	core
+Module:		comsat
+Announced:	1996-06-05
+Affects:	All FreeBSD versions
+Corrected:	2.1-stable and 2.2-current as of 1996-06-04
+FreeBSD only:	yes
+
+Patches:	ftp://freebsd.org/pub/CERT/patches/SA-96:13/
+
+=============================================================================
+
+I.   Background    
+
+     FreeBSD made an extension to the comsat daemon to support
+     e-mail in alternate locations.  A bug was found in this
+     extension which allows an unprivileged local user to read
+     portions of other users' mail.
+
+     This problem is present in all source code and binary
+     distributions of FreeBSD released before 1996-06-03.
+
+
+II.  Problem Description
+
+     The comsat daemon does not properly set privileges before
+     attempting to read mail files for display on a user terminal.
+
+
+III. Impact
+
+     The comsat daemon may be used to read portions of files
+     in /var/mail that would not normally be accessible to a
+     particular user.  This ability is limited to the /var/mail
+     directory hierarchy.
+
+     This vulnerability can only be exploited by users with a valid
+     account on the local system.
+
+
+IV. Workaround
+
+     One may simply disable the comsat daemon in /etc/inetd.conf.
+     This will disable asynchronous notification of received mail
+     (biff messages).  This workaround will suffice for
+     all versions of FreeBSD affected by this problem.
+     
+     As root, edit the file /etc/inetd.conf and change the line
+
+     comsat	dgram	udp	wait	root	/usr/libexec/comsat	comsat
+
+     to read
+
+     #comsat	dgram	udp	wait	root	/usr/libexec/comsat	comsat
+
+     and then reboot the system or restart the inetd daemon and kill
+     off any active comsat daemons.
+
+V. Solution
+
+     The following patch fixes the permissions problem.  It should
+     apply cleanly to all FreeBSD 2.x systems.  It has not been tested
+     with FreeBSD 1.x but this change, if applied by hand, should work.
+
+    --- comsat.c	Mon Jun  3 09:07:49 1996
+    +++ comsat.c	Mon Jun  3 09:17:11 1996
+    @@ -73,7 +73,7 @@
+     time_t	lastmsgtime;
+     int	nutmp, uf;
+     
+    -void jkfprintf __P((FILE *, char[], off_t));
+    +void jkfprintf __P((FILE *, char[], char[], off_t));
+     void mailfor __P((char *));
+     void notify __P((struct utmp *, char[], off_t, int));
+     void onalrm __P((int));
+    @@ -238,15 +238,16 @@
+		cr, name, (int)sizeof(hostname), hostname,
+		folder ? cr : "", folder ? "to " : "", folder ? file : "",
+		cr, cr);
+    -	jkfprintf(tp, file, offset);
+    +	jkfprintf(tp, name, file, offset);
+	    (void)fclose(tp);
+	    _exit(0);
+     }
+     
+     void
+    -jkfprintf(tp, name, offset)
+    +jkfprintf(tp, user, file, offset)
+	    register FILE *tp;
+    -	char name[];
+    +	char user[];
+    +	char file[];
+	    off_t offset;
+     {
+	    register char *cp, ch;
+    @@ -256,10 +257,10 @@
+	    char line[BUFSIZ];
+     
+	    /* Set effective uid to user in case mail drop is on nfs */
+    -	if ((p = getpwnam(name)) != NULL)
+    +	if ((p = getpwnam(user)) != NULL)
+		    (void) setuid(p->pw_uid);
+     
+    -	if ((fi = fopen(name, "r")) == NULL)
+    +	if ((fi = fopen(file, "r")) == NULL)
+		    return;
+     
+	    (void)fseek(fi, offset, L_SET);
+
+
+=============================================================================
+FreeBSD, Inc.
+
+Web Site:			http://www.freebsd.org/
+Confidential contacts:		security-officer@freebsd.org
+PGP Key:			ftp://freebsd.org/pub/CERT/public_key.asc
+Security notifications:		security-notifications@freebsd.org
+Security public discussion:	security@freebsd.org
+
+Notice: Any patches in this document may not apply cleanly due to
+        modifications caused by digital signature or mailer software.
+        Please reference the URL listed at the top of this document
+        for original copies of all patches if necessary.
+=============================================================================
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.2
+
+iQCVAwUBMeXtDFUuHi5z0oilAQG7zAP/ZfgIUqi+yBcLTBhoRh0bAeB9GJNlppF/
+rqLtJUdBpDTELjjdE21b+510Uv3j1n9/xKiXgcFRcyV0BuUTyJGA+KbOHAuy5EjZ
+3AyoIHC3bAhydQIvDYl9N3RbaH/xbmG4MZoXtIxI7peo+FbMWwRCsDCjjMggk8x1
+s69nLC+n2iw=
+=xA6e
+-----END PGP SIGNATURE-----