COMMAND

    procmail

SYSTEMS AFFECTED

    Debian (others)

PROBLEM

    Chris Evans found something  potentially more serious than  boring
    heap overflows  in procmail.   As a  summary local  users can dump
    the contents of any file to  screen.  The faulty code sequence  is
    in the handling of .procmailrc files and goes something like

        1) stat .procmailrc  (as root) -  if it can't  be stat'ed keep
           root privs
        2) open .procmailrc
        3) do lstat on .procmailrc for security check

    By replacing .procmailrc after steps  1) and 2) with a  symlink to
    the file to  dump and a  regular file respectively,  we can win  a
    race condition.  You might not think this is a very plausible race
    but with a few deep directory/multiple symlink tricks/SIGSTOP/etc.
    the window can be made quite wide. This is definitely exploitable.

SOLUTION

    New procmail  has been  released (version  3.13.1), which  fixes a
    few buffer overflow and  eliminates a keyword conflict  with newer
    versions of gcc.   These buffer overflows  are probably  'slightly
    more difficult'  to exploit  as they  involve particular variables
    instead of  variable expansion  in general.   Also, fixes  problem
    above:

        http://www.procmail.org/procmail.tar.gz
        ftp://ftp.procmail.org/pub/procmail/procmail.tar.gz

    Debian has  been notified  and so  will probably  be releasing  an
    updated package shortly.