Symlink Vulnerability in Postfix on Debian and Ubuntu
CVE-2009-2939

Currently unrated

Key Information:

Vendor: Postfix
Status: Postfix
Vendor: CVE Published:; 21 September 2009

What is CVE-2009-2939?

The postfix.postinst script in the Debian GNU/Linux and Ubuntu Postfix 2.5.5 package suffers from a permissions misconfiguration. It grants the postfix user unnecessary write access to /var/spool/postfix/pid, facilitating local users in executing symlink attacks. This vulnerability can be exploited to overwrite arbitrary files, posing a significant risk to the integrity of the mail system.

References

http://www.openwall.com/lists/oss-security/2009/09/18/6

mailing-listx_refsource_MLIST

http://www.debian.org/security/2011/dsa-2233

vendor-advisoryx_refsource_DEBIAN

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 21, 2009
Vulnerability Reserved
Aug 23, 2009

CVE-2009-2939 Data

JSON