PublicDateAtUSN: 2009-09-21
Candidate: CVE-2009-2939
PublicDate: 2009-09-21 19:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2939
 http://www.openwall.com/lists/oss-security/2009/09/18/6
 https://ubuntu.com/security/notices/USN-1113-1
Description:
 The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix
 2.5.5 package grants the postfix user write access to
 /var/spool/postfix/pid, which might allow local users to conduct symlink
 attacks that overwrite arbitrary files.
Ubuntu-Description:
Notes:
 jdstrand> per Weitse, the symlink attack should not be possible due to
  defensive programming. A subverted postfix process running as 'postfix'
  could replace the pid file, which master could then send signals to.
Bugs:
Priority: negligible
Discovered-by:
Assigned-to:
CVSS: 

Patches_postfix:
upstream_postfix: released (2.6.5-3)
dapper_postfix: released (2.2.10-1ubuntu0.3)
hardy_postfix: released (2.5.1-2ubuntu1.3)
intrepid_postfix: needed (reached end-of-life)
jaunty_postfix: ignored (reached end-of-life)
karmic_postfix: released (2.6.5-3)
lucid_postfix: released (2.6.5-3)
maverick_postfix: released (2.6.5-3)
devel_postfix: released (2.6.5-3)