[1145] in linux-security and linux-alert archive
[linux-security] Fix available for elm 2.4 filter security hole
daemon@ATHENA.MIT.EDU (jna)
Wed Sep 11 18:28:36 1996
Date: Tue, 10 Sep 1996 01:53:02 +0500
From: jna <jna@retina.net>
To: linux-security-digest@tarsier.cv.nrao.edu
I don't know if a patch has been made available for
the security hole in ELM's filter (version 2.4PL25),
but as of patch level 25, the bug still exists.
Users can read the electronic mail of any user they choose with a simple
exploit script (which has been published on the list before, so I won't
rehash it here again)
Basically, I've written a simple, blanket (bleh!) fix for filter that
prevents filter from opening any symbolic links while it's running.
If you know of a patch for filter that has fixed this already, let me know,
otherwise, if you need a copy of this patch, send me mail. :)
--john