[16208] in bugtraq
Re: sperl 5.00503 (and newer ;) exploit
daemon@ATHENA.MIT.EDU (H. Peter Anvin)
Sat Aug 12 00:59:37 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3993201C.61F45F68@transmeta.com>
Date: Thu, 10 Aug 2000 14:35:24 -0700
Reply-To: hpa@TRANSMETA.COM
From: "H. Peter Anvin" <hpa@TRANSMETA.COM>
X-To: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Thomas Roessler wrote:
>
> On 2000-08-08 14:27:03 -0400, Greg A. Woods wrote:
>
> > I've been rather dismayed by the number of people posting patches
> > which claim to "fix" mailx, aka BSD Mail. One could contend that
> > it's not even broken in the first place!
>
> Indeed.
>
> The fact that input to mailx (or to mailx mimicking /bin/mail)
> should be sanitized can be assumed to be well-known since - at
> least! - the days of CNews, which has some code to that avail in the
> scripts sending mail messages to administrators. Failure to do so
> is plainly the fault of the calling application, and should not be
> taken as a reason for removing traditional and well-established
> behaviour.
>
> Just as well, the fact that the environment should be sanitized in a
> white-list approach before calling external programs from programs
> running setuid (and passing privileges to these external programs!)
> has been well-known for ages. Not following this guideline is
> plainly the fault of the calling application.
>
For what it's worth, these kinds of issues with /bin/mail is part of why the draft Linux Standards Base (LSB) specification specifies a subset of the /usr/sbin/sendmail CLI (which doesn't mean it actually has to be Sendmail!) as the only recognized injection point for mail.
-hpa
--
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
