Date: Tue, 04 Jan 2000 03:11:38 +0800 From: Peter Wemm <peter@netplex.com.au> To: Paul A Vixie <vixie@mibh.net> Cc: Ole Pahl <op@pahl.net>, bugtraq@securityfocus.com, submission@rootshell.com, cert@cert.org, cert@cert.dfn.de, freebsd-bugs@freebsd.org, info@suse.de, isc-info@isc.org Subject: Re: Bug in recent versions of Vixie cron Message-ID: <20000103191138.E31DE1CC6@overcee.netplex.com.au> In-Reply-To: Message from Paul A Vixie <vixie@mibh.net> of "Sun, 02 Jan 2000 12:55:59 PST." <200001022055.MAA05785@redpaul.mibh.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul A Vixie wrote: > if your cron source (do_command.c) does not include the function safe_p() > then it is vulnerable to this. this hole was fixed in 1996. take a look > at isc cron 4.0 beta1, at ftp://ftp.isc.org/isc/cron_4.0_b1.shar. FreeBSD doesn't use safe_p() - it doesn't allow users to pass arguments to sendmail at all. The recipient address from MAILTO is passed in the 'To: ' line in the header and 'sendmail -t' is called. This is a quite robust solution since sendmail already performs it's own checking. The "fixes" to the Linux versions of vixie cron were quite overkill. We fixed this over a few days in April 1995, I see the 4.0-b1 release now uses -t as well as some other conservative checks. Our change log: ---------------------------- revision 1.4 date: 1995/04/14 21:54:18; author: ache; state: Exp; lines: +2 -31 Fix MAILTO hole by passing -t to sendmail Submitted by: Mike Pritchard <pritc003@maroon.tc.umn.edu> ---------------------------- revision 1.3 date: 1995/04/13 20:58:13; author: ache; state: Exp; lines: +29 -4 Really fix MAILTO hole by parsing spaces. Remove local bitstring copy ---------------------------- revision 1.2 date: 1995/04/12 18:57:37; author: ache; state: Exp; lines: +7 -3 Close MAILTO security hole ---------------------------- FreeBSD has not been vulnerable since 2.0-RELEASE. 2.0.5 and later were based on rev 1.5 and not vulnerable. This has been reported many times. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000103191138.E31DE1CC6>