[1148] in linux-security and linux-alert archive
[linux-security] From bugtraq: sendmail-8.7.5
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Thu Sep 12 12:01:40 1996
From: Thomas Roessler <roessler@sobolev.rhein.de>
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 12 Sep 1996 16:52:13 +0200 (MET DST)
Cc: roessler@sobolev.rhein.de (Thomas Roessler)
There is a buffer-overflow problem in sendmail 8.7.5: The gecos field
is being written to a fixed-size buffer; this may be used to get root on
systems where users can modify their real name by using chfn(1).
Inserting the following code after line 470 of src/util.c should fix the
problem:
if(l >= MAXNAME) { /* -tlr */
syslog(LOG_NOTICE, "POSSIBLE ATTACK from user %d!", getuid());
*bp = '\0';
return;
}
The bugtraq posting additionally claims that the problem has been fixed
in 8.8beta.
tlr