S-nail announcement

S-nail v14.8.16 ("Copris lunaris")

Hello list.

This release fixes an at least theoretical security vulnerability
of the privilege-separated child, which does not strip path
separators from arguments.

It thus can be forced (by a local attacker) to create an exclusive
file for a very short time -- if that happens to be in a PolicyKit
directory, and if the supervising program is capable to inject
some PolicyKit directives, and if PolicyKit reads those directives
before the file is unlink(2)ed again (after an fchown(2) followed
by link(2)), then the written directives could force PolicyKit to
do bad things.

Anyway inotifyd hooks could be triggered when they shouldn't.
Sorry.

Thanks to wapiflapi for reporting this issue!

We welcome wapiflapi in THANKS!

Number games
^^^^^^^^^^^^

The tagged release commits are [stable/v14.8]:[12751f24], and
[release/v14.8.16]:[c2044864] (actual release content).
The release has also been stored as [timeline]:[cc4f8c5e].
The git(1) release commits and tags as well as the release tarball
itself have been signed with the OpenPGP key
  steffen@sdaoden.eu  /  95F382CE
  (232C 220B CB56 90A3 7BD2  2FFD EB66 0227 95F3 82CE)
available on OpenPGP key servers, my website and download area,
and also in the repository (blob tagged steffen-pgp-pub).

Release balls and OpenPGP signatures (.asc) can be downloaded via
HTTPS/HTTP and anonymous active or passive FTPS/FTP (truly: still
www.sdaoden.eu/downloads, but only via HTTPS/HTTP).  Copies of the
signatures also far below, usable from within your favourite MUA.

  https?://ftp.sdaoden.eu
  ftps?://ftp.sdaoden.eu

s-nail-14.8.16.tar.xz:
    SHA1 0b0b189fed307a525967128d3d05cacc5019ba4d
  SHA256 9b6123499eea070d6f6c242661aed1522826d9fa78abc26d55e5dc2339b959df
  SHA512 c6e431df0325cb2561bdc6dd507155829ab48cc8731971139d75058a1bfbd010eab3a1077b5c45ac7850d3b71ab45cf4df7ab62b1b6a1bf97b098b5278161b15
s-nail-14.8.16.tar.gz:
    SHA1 55618a385f695fd1d0fd47cb591a47a2d58e233f
  SHA256 c69b74fb4b1c2a1a241d539f553154a71e774e871223ee808e8639665d9b4cca
  SHA512 a0b5706a1c4ad765984d5eb5c265e07a60b619392a203fdf5db3a56ba21243db1023b2c3650c7e2a4d2cf46242a8f244689ddb00fc9aad0d5811e7583a9c50cd

All files are available as "-latest" symbolic links, too, e.g.,
s-nail-latest.txt (a copy of this announcement text).

  Announcement : https?://www.sdaoden.eu/code-nail-ann.html
  Manual       : https?://www.sdaoden.eu/code-nail.html
  Web          : https?://www.sdaoden.eu/code.html#s-mailx
  git(1) clone : https?://git.sdaoden.eu/scm/s-nail.git
  git(1) browse: https?://git.sdaoden.eu/cgit/s-nail.git

  In the following mdocmx(7) anchors are denoted by a number-sign #:
  typing "^A ANCHOR" while reading the man(1)ual in a capable less(1)
  will scroll to the manual's Point-Of-Interest, and pointing a web-
  browser to the "#ANCHOR" of the online manual will do so, too.

git(1) shortlog (edited)
^^^^^^^^^^^^^^^^^^^^^^^^

cc48b652 FIX privsep.c, yes, vulnerability (wapiflapi)..
7802c68f THANKS: wapiflapi
8aade177 FIX privsep.c vulnerability, II (forgot hostname!) (wapiflapi)

Appendix
^^^^^^^^

The complete changelog of commits in between two versions OLD and
NEW can be inspected by using the git(1) `log' command:

  $ git log --reverse --topo-order --abbrev-commit OLD..NEW
  # Only topic branch headers (--no-merges for content commits only):
  $ git log --oneline --reverse --topo-order --merges OLD..NEW
  # Same, but truly accessible:
  $ git log --oneline --reverse --topo-order --merges --parents OLD..NEW |
    while read c1 c2 c3 c4 c5 c6; do
      printf "%-24s: \$ git log --oneline --no-merges %s ^%s\n" \
        "${c6}" "${c1}" "${c2}";
    done

The vXX.X.* announcements have been shortened at this point;
to see the elder entries please have a look at [1].

  [1] https://www.mail-archive.com/s-nail-users@lists.sourceforge.net/msgXXXXX.html

Even elder announcements:
  v14.8.0 - v14.8.6: 00292
    v14.8.7 - v14.8.8: 00374, v14.8.9: 00435, v14.8.10: 00445
    [v14.8.11: 00495], v14.8.12: 00502, [v14.8.13: 00514],
    v14.8.14: 00519, v14.8.15: 00547
  v14.7: 00094
    v14.7.1: 00129, v14.7.2 - v14.7.8: 00193, v14.7.9 - v14.7.10: 00216,
    v14.7.11: 00240
Replace the XXX in the following URL with the shown number:
  https://www.mail-archive.com/s-nail-users@lists.sourceforge.net/msgXXX.html

-----BEGIN PGP SIGNATURE-----

iQIcBAABCgAGBQJYi67KAAoJEOtmAieV84LO1iAQAKUHLdFSoW1DmLVuSLGCfBY3
TkCcC1Ueunfa1d/UnjsXtBwisi+QLFoXWzfjZln+F5cDBTA7m8AuJILrTiRwmBP7
K+CqYmCpRcJTRW4ZByByJAJ1u4uQ9/U2bpJpm9hz6VoBqO+LrtX5OzizLbpsQSqT
cM4PykaMG1Nn5kJI7sWsYtaPWTzPnnBa1jkg1C+QiJqgbAJwDx81Z2TuhyjE8b6c
2/GV2UNCBRSkjo+unhaoxcsRdiNU97srOf/lKcRa/rLlAMBf18aYYvHuFmPHLs5A
JiwR90da36u2vm2/4whmqJ9iXih6JE/7mHzI7wD/KaZzmwpZi7O0lIhZv8/bHz2t
kDDQLmjv0enbNVTqO5nwdpMNHV727i2I2YJkgYwhsE9y0SSe+lxelX+GmiiFHA7H
p3ZPr1GvyXBSpBF4SDDlo0Wmc2D6uBautos6u71N8eNkO9xZ0zK9Bu7mCKeoPCb0
cYrRjScyg/H0MmvqeBwbJ+CmcWipbGEiLX4DkJyZ+7Ij/jauN17MTzYlnQKom50s
yhaYJoXm6CoIy1KQ9IFJAhr90agyyjKdaFdp2BCE6R5zg3vaZMbra3a+cgxzMeo0
sxwA3rF2e6hg+DZmxo8HnT0UVrmakoKT6M5XHq5fP4EeYs8+5XQ66+sHUJfqAJgH
ki4Ne8Acsx6TiZrkwf+6
=vhgS
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----

iQIcBAABCgAGBQJYi67KAAoJEOtmAieV84LOYogQAIhusYar2EZLVQkTfkD8VymS
9kA+fmaaRVHM0DeT9eZ3qkc7N4oLzdx8T0Q4AcNLixhBAK0rhrU1MUEly5FMQhIO
wgoSOaMJ3lEcQ0FKVkXE1WGqJIwqsYaKbZGPg0lEagMz9zHtqhETn8l2Ok58FmAn
1TyiP+yFZ4vh69Lox/b+AYAjT94ai5PkLru5IvwQV+gGcjY/VvWLKxH5qq75SQVB
LDgX03gOlpklTzyEr9C403sv0zaKbL04J5v/83dNtCUTd5tPaR6JBWGMlg2yl49e
D5S7UCB5+Uv1UHaMEYryPw1BtbQ1jZrWoDnVoUzWSTRL81stqEc7OBAbmkXypxxr
mNs4a80AAkW7AOCgHXTj/GuYC2QB2dd2TEl74QvLC6EhOpdDY2Cpd5plpWZKFfbt
iKEwrLstEn+jhUuca3D2EefuRuctT+K8SzNdO5eGS6zCZcuUtOMKYB6to4HcwnuJ
vHMsdWKCKMYIlKKpjrklKYxcBjextvJYYWrHSiGaw0eHg4K6CPw6E/8ysasdzN5a
woD4LD2xUdbAVSBp14C/Fe6wEp1PYX0Lk3GdStLHTU+CvM4Ea42b8fHRWKSJt/qL
zITvDRYc8TS+UqSiL7yFip3hLaudgn6RNw8xkT1BNmmjdTtufGg7rssY/mA67FzH
ocCrJJSK1oeJ/TL6eLfn
=qNxt
-----END PGP SIGNATURE-----

Copyright (c) 1997 - 2016, Steffen (Daode) Nurpmeso <steffen@sdaoden.eu>
@(#)code-nail-ann.html-w42 1.6 2017-01-27T20:45:33+0000