Bug ID 1095783
Summary New package mailutils required for new GNU Emacs includes two suid/sgid programs
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware All
OS openSUSE Factory
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter werner@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

For New GNU Eamcs 26.1 I need a new package called mailutils as upstream Emacs
had removed a lot of builtin functionalities and replaced it with those of
mailutils.  The package mailutils has some helper programs

 dotlock  -- lock mail spool files
 frm      -- display From: lines
 from     -- display from and subject
 maidag   -- the mail delivery agent
 mail     -- process mail messages
 messages -- count the number of messages in a mailbox
 mimeview -- display files, using mailcap mechanism
 movemail -- move messages across mailboxes
 readmsg  -- print messages
 sieve    -- a mail filtering tool

where dotlock is root:root 02755 and maidag root:root 04755

Beside this mailutils has an other MH tool collection and an imap4d as well as
a pop3d daemon.

For dotlock and maidag I see without permissions file

[  109s] mailutils.x86_64: E: permissions-file-setuid-bit (Badness: 10000)
/usr/bin/dotlock is packaged with setuid/setgid bits (02755)
[  109s] mailutils-server.x86_64: E: permissions-file-setuid-bit (Badness:
10000) /usr/sbin/maidag is packaged with setuid/setgid bits (04755)
[  109s] If the package is intended for inclusion in any SUSE product please
open a bug
[  109s] report to request review of the program by the security team

and with permission files

[  116s] mailutils.x86_64: E: permissions-unauthorized-file (Badness: 10000)
/etc/permissions.d/mailutils
[  116s] mailutils.x86_64: E: permissions-unauthorized-file (Badness: 10000)
/etc/permissions.d/mailutils.paranoid

hence this bug report

You are receiving this mail because: