[1046] in bugtraq
Re: new sendmail bug?
daemon@ATHENA.MIT.EDU (joel)
Thu Feb 23 02:44:22 1995
Date: Thu, 23 Feb 1995 00:43:23 -0600 (CST)
From: joel <nihilis@solar.sky.net>
To: bugtraq@fc.net
In-Reply-To: <199502230443.VAA24166@ecosys.nbs.nau.edu>
On Wed, 22 Feb 1995, James W. Abendschan wrote:
> I gathered it had something to do with imbedding newlines in
> either the info it reads from identd and/or imbedding newlines
> when giving it command line options.. but it's hard to say.
The updated sendmail readme stuff (quoted below) indicates (actually, it
does more than indicate, it specifies) identd and bogus values from
sites that hate it. perhaps it constructs its own To: line for us? and
mails stuff accordingly.
There's something else first, though, which I don't know anything about.
perhaps someone else can shed light on it.
- Joel
Me, Employer, Seperate, Blahblahblah
--
GCS/E -d+(?) H++ s-: !g p? !au a-- w+ v- C++ ULS++++$ P+>++ L++@ 3 E-
N++(+) K W M- V- po Y+ t S- j R G' tv>- b>+ D+ B- e(+) u+(*) h! f r>+++
n-@ y+
From the readme (patch format):
+ 8.6.10/8.6.10 95/02/10
+ SECURITY: Diagnose bogus values to some command line flags that
+ could allow trash to get into headers and qf files.
+ Validate the name of the user returned by the IDENT protocol.
+ Some systems that really dislike IDENT send intentionally
+ bogus information. Problem pointed out by Michael Bushnell
+ of the Free Software Foundation. Has some security
+ implications.
