CVE-2008-4977

Published: 06 November 2008

** DISPUTED ** postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files. NOTE: the vendor disputes this vulnerability, stating "This is not a real issue ... users would have to edit a script under /usr/lib to enable it."

Priority

Low

Status

Package Release Status
postfix
Launchpad, Ubuntu, Debian
Upstream Needs triage

Notes

AuthorNote
jdstrand
per Debian, Not enabled by default, needs manual modification of a
script

References