-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.607 2010/03/23 14:06:48 jetmore Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.608 2010/05/26 12:26:00 nm4 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
JJ/03 installed exipick 20100323.0, fixing doc bug
+NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail
+ directory. Notification and patch from Dan Rosenberg
+
Exim version 4.71
-----------------
-/* $Cambridge: exim/src/src/transports/appendfile.c,v 1.24 2009/11/16 19:50:39 nm4 Exp $ */
+/* $Cambridge: exim/src/src/transports/appendfile.c,v 1.25 2010/05/26 12:26:01 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
goto RETURN;
}
+ /* Just in case this is a sticky-bit mail directory, we don't want
+ users to be able to create hard links to other users' files. */
+
+ if (statbuf.st_nlink != 1)
+ {
+ addr->basic_errno = ERRNO_NOTREGULAR;
+ addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
+ filename, islink? " (symlink)" : "", statbuf.st_nlink);
+ goto RETURN;
+
+ }
+
/* If symlinks are permitted (not recommended), the lstat() above will
have found the symlink. Its ownership has just been checked; go round
the loop again, using stat() instead of lstat(). That will never yield a
git://git.exim.org / exim.git / commitdiff