On Tue, 10 Oct 1995, Casper Dik wrote: > >Who knows what the root-shell-giving security hole is in Sendmail 8.6.12 > >that was incompletely patched in 8.7, and (supposedly) finally patched > >in 8.7.1? > > It's just syslog() overruning the stack again. There's also another problem > which causes the datas segment to be overrun, but that's not as easy > to abuse (if at all). There also seems to be some sort of problem with body types. The following is quoted from the the Sendmail 8.7.1 RELEASE_NOTES file: "Fix a problem that might cause a non-standard -B (body type) parameter to be passed to the next server with undefined results. This could have security implications." Anyone have a clue as to what these "Security Implications" are? The patch included follows... pretty easy to understand. <begin patch to src/main.c> *************** *** 789,795 **** else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0) SevenBitInput = FALSE; else ! usrerr("Illegal body type %s", optarg); /* Enforce use of local time (null string overrides this) */ if (TimeZoneSpec == NULL) --- 789,798 ---- else if (strcasecmp(CurEnv->e_bodytype, "8BITMIME") == 0) SevenBitInput = FALSE; else ! { ! usrerr("Illegal body type %s", CurEnv->e_bodytype); ! CurEnv->e_bodytype = NULL; ! } /* Enforce use of local time (null string overrides this) */ if (TimeZoneSpec == NULL) <end patch> I haven't had time to play around with body types yet, although this bug seems to be patched, we can never be sure with sendmail. :)