|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Vulnerability in metamail
Alan Cox (alan
LXORGUK.UKUU.ORG.UK)Fri, 24 Oct 1997 22:42:11 +0100
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: John McDonald: "Re: Redir games with ARP and ICMP"
- Previous message: Mike Kienenberger: "a bug in IRIX open() as well [was Re: Possible SERIOUS bug in"
- Next in thread: der Mouse: "Re: Vulnerability in metamail"
Ok Im sure the topic "vulnerability in metamail" has those who've been near
the code at the very least unsuprised. The right things to do with metamail
are either
a) Use it as a course example on why not to write programs in sh
b) Throw it out and write it in C
For the moment however this one appears to be covered ok by using
uudecode's -o option to force the output file.
A couple of scripts in metamail (notably sun-audio-file) blindly uudecode
something assuming the filename will be reasonable. It does do things
in a /tmp dir but if you know someones home dir and bung in a full path
then suprise suprise it uudecodes where asked - so you can send people
sun-audio-file .rhosts for example.
It seems to be sufficient to change from
if (! $?METAMAIL_TMPDIR) then
set METAMAIL_TMPDIR=/tmp
endif
cd ${METAMAIL_TMPDIR}
uudecode < $1
audiotool audio-file
To use
uudecode <$1 -o audio-file
This isnt the only problem file tho.
This seems affect anybody using metamail - thats generally folks using Elm
and things like Andrew in some cases. Several Linux distributions ship
a metamail kit. A fix for Redhat 4.x is now available on ftp.redhat.com.
Alan
- Next message: John McDonald: "Re: Redir games with ARP and ICMP"
- Previous message: Mike Kienenberger: "a bug in IRIX open() as well [was Re: Possible SERIOUS bug in"
- Next in thread: der Mouse: "Re: Vulnerability in metamail"