[16185] in bugtraq
Re: sperl 5.00503 (and newer ;) exploit
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Thu Aug 10 17:20:03 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000810093306.E16172@sobolev.does-not-exist.org>
Date: Thu, 10 Aug 2000 09:33:06 +0200
Reply-To: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
From: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000808182703.2E96787@proven.weird.com>; from woods@weird.com
on Tue, Aug 08, 2000 at 02:27:03PM -0400
On 2000-08-08 14:27:03 -0400, Greg A. Woods wrote:
> I've been rather dismayed by the number of people posting patches
> which claim to "fix" mailx, aka BSD Mail. One could contend that
> it's not even broken in the first place!
Indeed.
The fact that input to mailx (or to mailx mimicking /bin/mail)
should be sanitized can be assumed to be well-known since - at
least! - the days of CNews, which has some code to that avail in the
scripts sending mail messages to administrators. Failure to do so
is plainly the fault of the calling application, and should not be
taken as a reason for removing traditional and well-established
behaviour.
Just as well, the fact that the environment should be sanitized in a
white-list approach before calling external programs from programs
running setuid (and passing privileges to these external programs!)
has been well-known for ages. Not following this guideline is
plainly the fault of the calling application.
--
Thomas Roessler <roessler@does-not-exist.org>
