[11708] in bugtraq
Re: Vixie Cron version 3.0pl1 vulnerable to root exploit
daemon@ATHENA.MIT.EDU (Martin Schulze)
Tue Sep 7 09:50:44 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990904233759.T18221@finlandia.infodrom.north.de>
Date: Sat, 4 Sep 1999 23:37:59 +0200
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
X-To: Valentin Nechayev <netch@LUCKY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990901174114.A17339@lucky.net>
Valentin Nechayev wrote:
> Quite more simple and correct variant is to append "--" to mailargs:
>
> > -#define MAILARGS "%s -FCronDaemon -odi -oem -or0s %s" /*-*/
> > +#define MAILARGS "%s -FCronDaemon -odi -oem -- %s" /*-*/
>
> After it, it's possible to use real local parts starting with '-'. ;)
> getopt() stops parsing after "--", and arguments after it will be parsed as
> positional, not as flags.
This will only work for those MTA's that use getopt or that use the --
feature. For example, Smail does not. Thus this would fix the bug
in connection with sendmail but not in connection with Smail. Haven't
checked Postfix, Exim, Zmailer and Qmail, but it may be similar.
Regards,
Joey
--
There are lies, statistics and benchmarks.
