I still don't buy that sendmail is "fixed".

*Hobbit* (hobbit@avian.org)
Fri, 24 Feb 1995 00:56:27 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave Horsfall: "Forgery..."
Previous message: Michael Van Norman: "Re: new sendmail bug?"
Next in thread: der Mouse: "Re: I still don't buy that sendmail is "fixed"."

In readcf.c, we still have the following fragment:

...
	if (!safe && RealUid == 0)
		safe = TRUE;
	if (!safe && strchr("bCdeijLmoprsvw7", opt) == NULL)
	{
  ===>		if (opt != 'M' || (val[0] != 'r' && val[0] != 's'))
		{
			if (tTd(37, 1))
				printf(" (unsafe)");
			if (RealUid != geteuid())
			{
				if (tTd(37, 1))
					printf("(Resetting uid)");
				(void) setgid(RealGid);
				(void) setuid(RealUid);
			}
		}
	}
	if (tTd(37, 1))
		printf("\n");
...

What is the line with "===>" in front of it really supposed to be doing?

Why should we let ordinary users define macros at all, and do crap like
override or add to $j?!

I would reduce the "string of options considered safe" down to "dijLmv7".

	*	*	*

And as far as parsing identd stuff, what der Mouse said about reads, and
what Wietse wrote into tcpd that appears to read a username in a safe way,
and DISCARDS everything after the first space.  We wake up and suddenly
realize that identd responses are to be considered "user input".

\r\nCroot\r\nR<"|/bin/echo HAHA > somefile">\r\nHBogus:   indeed.  Maybe
I'll just leave my identd wired this way for a while just to screw with
peoples' heads.  Maybe I'll change "somefile" to "/dev/kmem".

Why am I so *PISSED OFF* about this?!  It's only ones and zeros, fer krissake.

_H*

Next message: Dave Horsfall: "Forgery..."
Previous message: Michael Van Norman: "Re: new sendmail bug?"
Next in thread: der Mouse: "Re: I still don't buy that sendmail is "fixed"."