CVE-2009-2939

Priority
Description
The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix
2.5.5 package grants the postfix user write access to
/var/spool/postfix/pid, which might allow local users to conduct symlink
attacks that overwrite arbitrary files.
Notes
jdstrandper Weitse, the symlink attack should not be possible due to
defensive programming. A subverted postfix process running as 'postfix'
could replace the pid file, which master could then send signals to.
Package
Upstream:released (2.6.5-3)
More Information

Updated: 2019-12-05 20:53:38 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)