Bugzilla – Bug 1211196
VUL-0: CVE-2023-32182: postfix: config_postfix SUSE specific script potentially bad /tmp file usage
Last modified: 2024-07-01 10:01:04 UTC
Noticed via systemd service monitoring. From /usr/lib/systemd/system/postfix.service, among others: > ExecStartPre=/usr/lib/postfix/systemd/config_postfix This runs /usr/sbin/config.postfix, a ~1.500 lines bash script. In some locations safe temporary file / directions created via mktemp are used. The function `update_cf()` sticks out though: ``` update_cf() { while test "x$1" != "x" ; do B=$( find /etc/postfix/${1} -printf %CY%Cm%Cd%CI%CM ) cp /etc/postfix/${1} "/var/adm/backup/postfix/${1}$B" cp /etc/postfix/${1} "/var/adm/backup/postfix/${1}" eval gen_${1/\./_} > /tmp/${1}.config mv -Z /tmp/${1}.config /etc/postfix/${1}; shift done } ``` This is e.g. invoked here: ``` if test "$MAIL_CREATE_CONFIG" = "yes"; then test -z "$r" && update_cf master.cf main.cf fi ``` But also via `restore_cf()` for main.cf and master.cf. It looks like another local user can pre-create these files in e.g. /tmp/master.cf, wait for the script to overwrite it and then just in time replace the content again with something malicious so that the `mv -Z` actually moves a compromised script into place. This requires a closer investigation still though.
I will look into this more closely.
The problematic code seems exploitable: - symlink attack if protected_symlinks is off - otherwise allows to control the content of the postfix configuration The code only runs the first time, though, or if var/adm/postfix.configured is not existing. I will involved our package maintainers soon.
Assigning to you, Peter. Please see comment 0 and comment 2. There is a fixed /tmp file usage in `config.postfix` that can cause security issues. Please check whether you can confirm it and prepare updates. We need updates for SLE first, don't publish the issue outside the company (or in OBS) until we have updates for SLE ready. We will likely also assign one of our SUSE CNA CVEs, since this is a SUSE specific script.
I agree with Matthias' assessment. Please use CVE-2023-32182
ping. Can you please have a look at this? Thanks
What about this solution? update_cf() { while test "x$1" != "x" ; do TMPFILE=$(mktemp /tmp/postfix.${1}.XXXXXX) || exit 1 B=$( find /etc/postfix/${1} -printf %CY%Cm%Cd%CI%CM ) cp /etc/postfix/${1} "@conf_backup_dir@/${1}$B" cp /etc/postfix/${1} "@conf_backup_dir@/${1}" eval gen_${1/\./_} > $TMPFILE mv -Z $TMPFILE /etc/postfix/${1}; shift done }
(In reply to Peter Varkoly from comment #7) > What about this solution? > update_cf() { > while test "x$1" != "x" ; do > TMPFILE=$(mktemp /tmp/postfix.${1}.XXXXXX) || exit 1 > B=$( find /etc/postfix/${1} -printf %CY%Cm%Cd%CI%CM ) > cp /etc/postfix/${1} "@conf_backup_dir@/${1}$B" > cp /etc/postfix/${1} "@conf_backup_dir@/${1}" > eval gen_${1/\./_} > $TMPFILE > mv -Z $TMPFILE /etc/postfix/${1}; > shift > done > } Yes, this should do, thank you.
SUSE-SU-2023:3394-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (important) Bug References: 1211196, 1213515 CVE References: CVE-2023-32182 Sources used: openSUSE Leap 15.5 (src): postfix-bdb-3.7.3-150500.3.5.1, postfix-3.7.3-150500.3.5.1 Basesystem Module 15-SP5 (src): postfix-3.7.3-150500.3.5.1 Legacy Module 15-SP5 (src): postfix-bdb-3.7.3-150500.3.5.1 Server Applications Module 15-SP5 (src): postfix-3.7.3-150500.3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
make bug public as we released updates.
Petr, can you resubmit for 15-SP3 at least where it was declined due to a build failure?
(In reply to Marcus Meissner from comment #17) > Petr, Peter > can you resubmit for 15-SP3 at least where it was declined due to a build failure? I'm just working on the build failure.
SUSE-SU-2023:3732-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1211196, 1215372 CVE References: CVE-2023-32182 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postfix-3.2.10-3.27.2 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postfix-3.2.10-3.27.2 SUSE Linux Enterprise Server 12 SP5 (src): postfix-3.2.10-3.27.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postfix-3.2.10-3.27.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3791-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1211196, 1215372 CVE References: CVE-2023-32182 Sources used: openSUSE Leap 15.4 (src): postfix-3.4.7-150200.3.12.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3945-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1211196, 1215372 CVE References: CVE-2023-32182 Sources used: openSUSE Leap 15.4 (src): postfix-3.5.9-150300.5.12.2, postfix-bdb-3.5.9-150300.5.12.2 Basesystem Module 15-SP4 (src): postfix-3.5.9-150300.5.12.2 Legacy Module 15-SP4 (src): postfix-bdb-3.5.9-150300.5.12.2 Server Applications Module 15-SP4 (src): postfix-3.5.9-150300.5.12.2 SUSE Manager Proxy 4.2 (src): postfix-3.5.9-150300.5.12.2 SUSE Manager Retail Branch Server 4.2 (src): postfix-3.5.9-150300.5.12.2 SUSE Manager Server 4.2 (src): postfix-3.5.9-150300.5.12.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
FIXED