18 September 2004
-SECURITY: previous versions of getmail contain a security vulnerability.
A local attacker with a shell account could exploit a race condition (or a
similar symlink attack) to cause getmail to create or overwrite files in a
directory of the local user's choosing if the system administrator ran getmail
as root and delivered messages to a maildir or mbox file under the control of
the attacker, resulting in a local root exploit. Fixed in versions 4.2.0
and 3.2.5.
This vulnerability is not exploitable if the administrator does not deliver
mail to the maildirs/mbox files of untrusted local users, or if getmail is
configured to use an external unprivileged MDA. This vulnerability is
not remotely exploitable.
Thanks: David Watson. My gratitude to David for his work on finding and
analyzing this problem.
-Now, on Unix-like systems when run as root, getmail forks a child
process and drops privileges before delivering to maildirs or mbox files.
getmail will absolutely refuse to deliver to such destinations as root;
the uid to switch to must be configured in the getmailrc file.
-revert behaviour regarding delivery to non-existent mbox files. Versions
4.0.0 through 4.1.5 would create the mbox file if it did not exist; in
versions 4.2.0 and up, getmail reverts to the v.3 behaviour of refusing
to do so.