[7028] in bugtraq
Re: security hole in mailx
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Thu Jun 25 15:48:33 1998
Date: Thu, 25 Jun 1998 12:07:18 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Ben Collins <bmc@VISI.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 25 Jun 1998 05:58:24 CDT."
<Pine.LNX.3.96.980625054857.332A-100000@bristol>
Of course the OpenBSD mailx program isn't setuid or setgid.
But we did an audit of the source code anyways. This particular
buffer overflow isn't possible in our code, since $HOME is ignored the
moment it becomes longer than MAXPATHNAMELEN.
We found and fixed numerous other problems in mailx. If anyone
intends to make this program setuid or setgid, they need to do a
significant amount of work... or just copy our code.
But I don't gaurantee all problems are fixed in our version... since
we are not running setgid. We use a different mechanism for mail
spool locking.
