[830] in bugtraq
Re: CERT Advisory CA-95:02.binmail.vulnerabilities
daemon@ATHENA.MIT.EDU (Neil Woods)
Sat Jan 28 10:05:19 1995
From: Neil Woods <neil@legless.demon.co.uk>
To: Julian Assange <proff@suburbia.apana.org.au>
Date: Sat, 28 Jan 1995 13:15:26 +0100 (GMT)
Cc: bugtraq@fc.net
In-Reply-To: <199501270818.TAA02317@suburbia.apana.org.au> from "Julian Assange" at Jan 27, 95 07:18:56 pm
>
> > The CERT Coordination Center thanks Eric Allman, Wolfgang Ley, Karl
> > Strickland, Wietse Venema, and Neil Woods for their contributions to
> > mail.local.
>
> Last billing there Neil, though I note its in alphabetical order. It
> does seem a little thick headed that cert, in its wisdom, did not simply
> refer people to several 8lgm advisories already on the subject. As for the
> "mail.local" not been perfect - what are they advising? the installation of
> something less that perfect as far as root-bugs are concerned?
>
> "But mom, I'm only a little bit pregnant"
>
> >From my examinations of mail.local, its fine unless you can write to the mail
> spool directory. If you can, then its raceable.
>
I know of no problems with the mail.local code provided, I'd advise anyone
with sunos/ultrix boxes to use it. I wouldn't trust any patch provided
by either DEC or SUN at this moment in time. I haven't looked at any
other available src, so I can't recommend anything else.
Even with a mode 777 spool directory, this code is secure (IMHO 8). If
anyone thinks otherwise, then please post a description of why you
believe it is so, a script isn't necessary.
As our names are on the advisory, I guess you can take that as a seal of
approval.
Cheers,
Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.
...like a badger with an afro throwing sparklers at the Pope...
