[1070] in bugtraq
I still don't buy that sendmail is "fixed".
daemon@ATHENA.MIT.EDU (*Hobbit*)
Fri Feb 24 01:35:33 1995
Date: Fri, 24 Feb 1995 00:56:27 -0500
From: *Hobbit* <hobbit@avian.org>
To: bugtraq@fc.net
In readcf.c, we still have the following fragment:
...
if (!safe && RealUid == 0)
safe = TRUE;
if (!safe && strchr("bCdeijLmoprsvw7", opt) == NULL)
{
===> if (opt != 'M' || (val[0] != 'r' && val[0] != 's'))
{
if (tTd(37, 1))
printf(" (unsafe)");
if (RealUid != geteuid())
{
if (tTd(37, 1))
printf("(Resetting uid)");
(void) setgid(RealGid);
(void) setuid(RealUid);
}
}
}
if (tTd(37, 1))
printf("\n");
...
What is the line with "===>" in front of it really supposed to be doing?
Why should we let ordinary users define macros at all, and do crap like
override or add to $j?!
I would reduce the "string of options considered safe" down to "dijLmv7".
* * *
And as far as parsing identd stuff, what der Mouse said about reads, and
what Wietse wrote into tcpd that appears to read a username in a safe way,
and DISCARDS everything after the first space. We wake up and suddenly
realize that identd responses are to be considered "user input".
\r\nCroot\r\nR<"|/bin/echo HAHA > somefile">\r\nHBogus: indeed. Maybe
I'll just leave my identd wired this way for a while just to screw with
peoples' heads. Maybe I'll change "somefile" to "/dev/kmem".
Why am I so *PISSED OFF* about this?! It's only ones and zeros, fer krissake.
_H*
