Local privilege escalation from user wwwrun to root in the packaging of mailman
Description
A symlink following vulnerability in mailman packaging on SUSE/openSUSE allows local attackers to escalate from wwwrun to root and change arbitrary files to group mailman.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A symlink following vulnerability in mailman packaging on SUSE/openSUSE allows local attackers to escalate from wwwrun to root and change arbitrary files to group mailman.
Vulnerability
The mailman package on SUSE Linux Enterprise Server 11, 12, and openSUSE Leap 15.1 contains a symlink following vulnerability in its post-installation script. During package upgrade or reinstallation, the script executes chown wwwrun.mailman on the file %{varmmdir}/logs/error. If the kernel parameter fs.protected_hardlinks is set to 0, a local user in the mailman group can replace this log file with a hard link to an arbitrary file, causing the chown operation to change the group ownership of the target file to mailman. Affected versions: SUSE Linux Enterprise Server 11 (mailman prior to 2.1.15-9.6.15.1), SUSE Linux Enterprise Server 12 (mailman prior to 2.1.17-3.11.1), and openSUSE Leap 15.1 (mailman version 2.1.29-lp151.2.14 and prior). [1]
Exploitation
An attacker must have local access as a user in the mailman group (or as wwwrun). The attacker removes the existing error file in /var/lib/mailman/logs/ and creates a hard link from that path to a target file (e.g., /etc/shadow). When the mailman package is reinstalled or upgraded (e.g., via zypper in -f mailman), the post-install script runs chown wwwrun.mailman on the hard-linked path, changing the group ownership of the target file to mailman. This allows the attacker to read the file if it has group read permissions. [1]
Impact
A local attacker in the mailman group can change the group ownership of arbitrary files to mailman, potentially gaining read access to sensitive system files such as /etc/shadow. Additionally, a user running as wwwrun can leverage the same vector to escalate privileges to root, as the chown operation is performed with root privileges. [1]
Mitigation
Fixed versions are available: SUSE Linux Enterprise Server 11 (mailman 2.1.15-9.6.15.1 and later), SUSE Linux Enterprise Server 12 (mailman 2.1.17-3.11.1 and later), and openSUSE Leap 15.1 (mailman later than 2.1.29-lp151.2.14). As a workaround, system administrators can set the kernel parameter fs.protected_hardlinks=1 to prevent hardlink attacks. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25- osv-coords21 versionspkg:rpm/opensuse/mailman&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/mailman&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/mailman&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/mailman&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/mailman&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/mailman&distro=SUSE%20Package%20Hub%2015%20SP1
< 2.1.29-lp151.3.3.1+ 20 more
- (no CPE)range: < 2.1.29-lp151.3.3.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.15-9.6.15.1
- (no CPE)range: < 2.1.15-9.6.15.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.17-3.11.1
- (no CPE)range: < 2.1.29-bp151.5.3.1
mailman+ 1 more
- (no CPE)range: mailman
- (no CPE)range: mailman
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- lists.opensuse.org/opensuse-security-announce/2020-01/msg00059.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-02/msg00000.htmlmitrevendor-advisoryx_refsource_SUSE
- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.