[prev in list] [next in list] [prev in thread] [next in thread]
List: best-of-security
Subject: SECURITY ALERT: Dangerous hole in vacation v1.0.
From: Julian Assange <proff () suburbia ! net>
Date: 1995-08-04 0:11:03
[Download RAW message or body]
Forwarded message:
>From owner-linux-alert@tarsier.cv.nrao.edu Fri Aug 4 02:12:46 1995
Date: Wed, 2 Aug 1995 13:04:45 -0400
Message-Id: <199508021704.NAA10414@tarsier.cv.nrao.edu>
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu
Subject: SECURITY ALERT: Dangerous hole in vacation v1.0.
X-Zippy: I'm having an EMOTIONAL OUTBURST!! But, uh, WHY is there a WAFFLE in my PAJAMA POCKET??
X-Mailer: VM 5.87 (beta); GNU Emacs 19.29.1
X-Attribution: Up
Sender: owner-linux-alert@tarsier.cv.nrao.edu
Precedence: special-delivery
Reply-To: linux-security@tarsier.cv.nrao.edu
-----BEGIN PGP SIGNED MESSAGE-----
A major security hole in the Linux version of 'vacation' has been
detected and corrected. This hole affects version 1.0 of 'vacation' as
ported to Linux by Harald Milz <hm@seneca.ix.de> (from Eric Allman's
original BSD source) and found on sunsite.unc.edu and other FTP sites
(and thus commonly used on Linux systems).
Note: The hole was introduced in the Linux port/version and does not
appear to affect other, non-Linux-specific, versions of vacation.
The hole involved passing the Subject: and From: headers of the incoming
e-mail message to 'sed' and 'sendmail' via a system() call. The extreme
danger of this, especially in a program that is taking input from remote
systems, should be apparent to most people that are familiar with the
system() call internals.
Thanks go to Olaf Kirch <okir@monad.swb.de> for detecting this hole and
for coding an initial fix, and to Harald Milz for enhancing Olaf's fix
to provide the same functionality as his (Harald's) previous version.
Version 1.1 (recently uploaded to sunsite.unc.edu) is a "safe" version.
UNDER _NO_ CIRCUMSTANCES SHOULD VERSION 1.0 BE USED!
Here is the LSM entry for the updated version:
Begin3
Title: Automatic mail answering program for Linux
Version: 1.1
Entered-Date: July 29, 1995
Description: This is the port of the 386bsd vacation program to Linux.
Vacation is the automatic mail answering program found
on many Unix systems.
This is a security fixed version. PLEASE DON'T USE vacation-1.0
ANY LONGER!
Keywords: vacation, mail answering
Author: Eric Allman (?)
Maintained-By: Harald Milz (hm@seneca.ix.de)
Primary-Site: sunsite.unc.edu /pub/Linux/system/Mail/mailhandlers
28 KB vacation-1.1.tar.gz
Original-Site: agate.berkeley.edu (as of Nov 16, 1993)
Platforms: GCC 2.6.3, libc 5.0.9 or libc 4.7.2
Copying-Policy: Copyright (c) 1983, 1987 Regents of the University of California
changes relative to the original version: GPL
End
In addition to Sunsite, the updated version is available in
linux.nrao.edu:/pub/linux/security/vacation/. MD5 checksum of the
tar-file on linux.nrao.edu is:
f37ab91e18de1caa2c657509d8eb073b vacation-1.1.tar.gz
Note: For those that get syslog messages from 'sendmail' saying "mailer
prog died with signal 13" when running this new v1.1 (it's a SEGV; the
13 is octal), try the following patch (Harald plans on adding this, as
well as a couple of other slight modifications that I have made, in a
future public update to the newly-released v1.1):
diff -u --recursive 1.1-hm/vacation.c 1.1/vacation.c
--- 1.1-hm/vacation.c Sat Jul 29 18:08:57 1995
+++ 1.1/vacation.c Sun Jul 30 13:39:41 1995
@@ -184,8 +184,8 @@
setreply();
(void) gdbm_close(db);
sendmessage(pw->pw_name);
- }
- (void) gdbm_close(db);
+ } else
+ (void) gdbm_close(db);
exit(0);
/* NOTREACHED */
}
- --
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMB+wBrxzFUpUTHgFAQGuwwQA1XLiDP93tUE84d0nQOz34iM6GtHBF4AT
9IXsHNrgZpAwUcbYsYTlmvICrrxqyozBkfqGYTpH44ajV5dGcqb9FZmyO//x7/JY
LaejDEnp8ByigDf0++w7cxoRF7gwWFeNq2WvpFgbgqLWEer+Ci/mBKkEo0FY397E
TQWmk4ekFJ8=
=akI7
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic