Vulnerability in Postfix

CVE-2009-2939

The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix 2.5.5 package grants the postfix user write access to /var/spool/postfix/pid, which might allow local users to conduct symlink attacks that overwrite arbitrary files.

EPSS: 0.005 (38.5th percentile) — read the EPSS interpretation.

Affected products

Postfix — versions 2.5.5
Debian Debian_linux — versions 6.06
Ubuntu Ubuntu_linux — versions 4.0
N/a — versions n/a

Weakness classification (CWE)

CWE-59 — Improper Link Resolution Before File Access

References

cve@mitre.org (mailing-list, x_refsource_MLIST, Exploit)
cve@mitre.org (vendor-advisory, x_refsource_DEBIAN)