ID CVE-2006-5297
Summary Race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems.
References
Vulnerable Configurations
  • cpe:2.3:a:mutt:mutt:0.95.6
    cpe:2.3:a:mutt:mutt:0.95.6
  • cpe:2.3:a:mutt:mutt:1.2.1
    cpe:2.3:a:mutt:mutt:1.2.1
  • cpe:2.3:a:mutt:mutt:1.2.5
    cpe:2.3:a:mutt:mutt:1.2.5
  • cpe:2.3:a:mutt:mutt:1.2.5.1
    cpe:2.3:a:mutt:mutt:1.2.5.1
  • cpe:2.3:a:mutt:mutt:1.2.5.4
    cpe:2.3:a:mutt:mutt:1.2.5.4
  • cpe:2.3:a:mutt:mutt:1.2.5.5
    cpe:2.3:a:mutt:mutt:1.2.5.5
  • cpe:2.3:a:mutt:mutt:1.2.5.12
    cpe:2.3:a:mutt:mutt:1.2.5.12
  • cpe:2.3:a:mutt:mutt:1.2.5.12_ol
    cpe:2.3:a:mutt:mutt:1.2.5.12_ol
  • cpe:2.3:a:mutt:mutt:1.3.12
    cpe:2.3:a:mutt:mutt:1.3.12
  • cpe:2.3:a:mutt:mutt:1.3.12.1
    cpe:2.3:a:mutt:mutt:1.3.12.1
  • cpe:2.3:a:mutt:mutt:1.3.16
    cpe:2.3:a:mutt:mutt:1.3.16
  • cpe:2.3:a:mutt:mutt:1.3.17
    cpe:2.3:a:mutt:mutt:1.3.17
  • cpe:2.3:a:mutt:mutt:1.3.22
    cpe:2.3:a:mutt:mutt:1.3.22
  • cpe:2.3:a:mutt:mutt:1.3.24
    cpe:2.3:a:mutt:mutt:1.3.24
  • cpe:2.3:a:mutt:mutt:1.3.25
    cpe:2.3:a:mutt:mutt:1.3.25
  • cpe:2.3:a:mutt:mutt:1.3.27
    cpe:2.3:a:mutt:mutt:1.3.27
  • cpe:2.3:a:mutt:mutt:1.3.28
    cpe:2.3:a:mutt:mutt:1.3.28
  • cpe:2.3:a:mutt:mutt:1.4.0
    cpe:2.3:a:mutt:mutt:1.4.0
  • cpe:2.3:a:mutt:mutt:1.4.1
    cpe:2.3:a:mutt:mutt:1.4.1
  • cpe:2.3:a:mutt:mutt:1.4.2
    cpe:2.3:a:mutt:mutt:1.4.2
  • cpe:2.3:a:mutt:mutt:1.4.2.1
    cpe:2.3:a:mutt:mutt:1.4.2.1
  • Mutt 1.5.3
    cpe:2.3:a:mutt:mutt:1.5.3
  • Mutt 1.5.10
    cpe:2.3:a:mutt:mutt:1.5.10
  • Mutt 1.5.12
    cpe:2.3:a:mutt:mutt:1.5.12
CVSS
Base: 1.2 (as of 17-10-2006 - 09:05)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0386.NASL
    description From Red Hat Security Advisory 2007:0386 : An updated mutt package that fixes several security bugs is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Mutt is a text-mode mail user agent. A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. (CVE-2006-5297) A flaw was found in the way Mutt processed certain APOP authentication requests. By sending certain responses when mutt attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Mutt handled certain characters in gecos fields which could lead to a buffer overflow. The gecos field is an entry in the password database typically used to record general information about the user. A local attacker could give themselves a carefully crafted 'Real Name' which could execute arbitrary code if a victim uses Mutt and expands the attackers alias. (CVE-2007-2683) All users of mutt should upgrade to this updated package, which contains a backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67505
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67505
    title Oracle Linux 3 / 4 / 5 : mutt (ELSA-2007-0386)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-373-1.NASL
    description Race conditions were discovered in mutt's handling of temporary files. Under certain conditions when using a shared temp directory (the default), other local users could overwrite arbitrary files owned by the user running mutt. This vulnerability is more likely when the temp directory is over NFS. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27954
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27954
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : mutt vulnerabilities (USN-373-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070604_MUTT_ON_SL5_X.NASL
    description A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. (CVE-2006-5297) A flaw was found in the way Mutt processed certain APOP authentication requests. By sending certain responses when mutt attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Mutt handled certain characters in gecos fields which could lead to a buffer overflow. The gecos field is an entry in the password database typically used to record general information about the user. A local attacker could give themselves a carefully crafted 'Real Name' which could execute arbitrary code if a victim uses Mutt and expands the attackers alias. (CVE-2007-2683)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60195
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60195
    title Scientific Linux Security Update : mutt on SL5.x, SL4.x, SL3.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0386.NASL
    description An updated mutt package that fixes several security bugs is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Mutt is a text-mode mail user agent. A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. (CVE-2006-5297) A flaw was found in the way Mutt processed certain APOP authentication requests. By sending certain responses when mutt attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Mutt handled certain characters in gecos fields which could lead to a buffer overflow. The gecos field is an entry in the password database typically used to record general information about the user. A local attacker could give themselves a carefully crafted 'Real Name' which could execute arbitrary code if a victim uses Mutt and expands the attackers alias. (CVE-2007-2683) All users of mutt should upgrade to this updated package, which contains a backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25404
    published 2007-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25404
    title RHEL 3 / 4 / 5 : mutt (RHSA-2007:0386)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-190.NASL
    description A race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems. (CVE-2006-5297) The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and earlier does not properly verify that temporary files have been created with restricted permissions, which might allow local users to create files with weak permissions via a race condition between the mktemp and safe_fopen function calls. (CVE-2006-5298) Updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24575
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24575
    title Mandrake Linux Security Advisory : mutt (MDKSA-2006:190)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0386.NASL
    description An updated mutt package that fixes several security bugs is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Mutt is a text-mode mail user agent. A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. (CVE-2006-5297) A flaw was found in the way Mutt processed certain APOP authentication requests. By sending certain responses when mutt attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Mutt handled certain characters in gecos fields which could lead to a buffer overflow. The gecos field is an entry in the password database typically used to record general information about the user. A local attacker could give themselves a carefully crafted 'Real Name' which could execute arbitrary code if a victim uses Mutt and expands the attackers alias. (CVE-2007-2683) All users of mutt should upgrade to this updated package, which contains a backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25403
    published 2007-06-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25403
    title CentOS 3 / 4 / 5 : mutt (CESA-2007:0386)
oval via4
accepted 2013-04-29T04:07:00.415-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems.
family unix
id oval:org.mitre.oval:def:10601
status accepted
submitted 2010-07-09T03:56:16-04:00
title Race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems.
version 24
redhat via4
advisories
rhsa
id RHSA-2007:0386
rpms
  • mutt-5:1.4.1-5.el3
  • mutt-5:1.4.1-12.0.3.el4
  • mutt-5:1.4.2.2-3.0.2.el5
refmap via4
bid 20733
mandriva MDKSA-2006:190
mlist [mutt-dev] 20061004 security problem with temp files [was Re: mutt_adv_mktemp() ?]
secunia
  • 22613
  • 22640
  • 22685
  • 22686
  • 25529
trustix 2006-0061
ubuntu USN-373-1
vupen ADV-2006-4176
statements via4
contributor Joshua Bressers
lastmodified 2007-09-07
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211085 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.
Last major update 17-10-2016 - 23:41
Published 16-10-2006 - 15:07
Last modified 10-10-2017 - 21:31
Back to Top