[1148] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] From bugtraq: sendmail-8.7.5

daemon@ATHENA.MIT.EDU (Thomas Roessler)
Thu Sep 12 12:01:40 1996

From: Thomas Roessler <roessler@sobolev.rhein.de>
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 12 Sep 1996 16:52:13 +0200 (MET DST)
Cc: roessler@sobolev.rhein.de (Thomas Roessler)

There is a buffer-overflow problem in sendmail 8.7.5:  The gecos field
is being written to a fixed-size buffer; this may be used to get root on
systems where users can modify their real name by using chfn(1).

Inserting the following code after line 470 of src/util.c should fix the
problem:

        if(l >= MAXNAME) {      /* -tlr */
                syslog(LOG_NOTICE, "POSSIBLE ATTACK from user %d!", getuid());
                *bp = '\0';
                return;
        }

The bugtraq posting additionally claims that the problem has been fixed
in 8.8beta.

tlr

home help back first fref pref prev next nref lref last post