From owner-freebsd-security Sun Jan 19 09:21:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA10067 for security-outgoing; Sun, 19 Jan 1997 09:21:21 -0800 (PST) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id JAA10058 for ; Sun, 19 Jan 1997 09:21:18 -0800 (PST) Received: by agora.rdrop.com (Smail3.1.29.1 #17) id m0vm0vh-0008wXC; Sun, 19 Jan 97 09:21 PST Message-Id: From: batie@agora.rdrop.com (Alan Batie) Subject: Re: sendmail running non-root SUCCESS! To: lithium@cia-g.com (Stephen Fisher) Date: Sun, 19 Jan 1997 09:21:13 -0800 (PST) Cc: schluntz@pinpt.com, freebsd-security@FreeBSD.org, roberto@keltia.freenix.fr In-Reply-To: from "Stephen Fisher" at Jan 18, 97 06:39:40 pm X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Write a new mailer that has the power and functionality of Sendmail > without the problems and uses sendmail.cf's format and I'll use it. sendmail.cf is the reason I'm running smail! -- Alan Batie ______ It's not my fault! It's some guy batie@agora.rdrop.com \ / named "General Protection"! +1 503 452-0960 \ / --Ratbert PGP FP: DE 3C 29 17 C0 49 \/ 7A 27 40 A5 3C 37 4A DA 52 B9 It is my policy to avoid purchase of any products from companies which use unrequested email advertisements or telephone solicitation. From owner-freebsd-security Tue Jan 21 03:53:49 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id DAA15187 for security-outgoing; Tue, 21 Jan 1997 03:53:49 -0800 (PST) Received: from ambient.ops.best.com (eporue@ambient.ops.best.com [205.149.163.115]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id DAA15182 for ; Tue, 21 Jan 1997 03:53:47 -0800 (PST) Received: from localhost (eporue@localhost) by ambient.ops.best.com (8.8.4/8.8.3) with SMTP id DAA00604 for ; Tue, 21 Jan 1997 03:51:11 GMT Date: Tue, 21 Jan 1997 03:51:11 +0000 () From: "Eporue - aCid produCtions <1997> " To: freebsd-security@freebsd.com Subject: whee Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk whee From owner-freebsd-security Tue Jan 21 08:18:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id IAA27345 for security-outgoing; Tue, 21 Jan 1997 08:18:41 -0800 (PST) Received: from kalypso.iqm.unicamp.br (kalypso.iqm.unicamp.br [143.106.13.10]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id IAA27339 for ; Tue, 21 Jan 1997 08:18:37 -0800 (PST) Received: (from vazquez@localhost) by kalypso.iqm.unicamp.br (8.8.4/8.7.3/FreeBSD/2.1.5) id OAA19175 for security@freebsd.org; Tue, 21 Jan 1997 14:29:51 -0200 (EDT) Received: from styx.iqm.unicamp.br (styx.iqm.unicamp.br [143.106.13.1]) by kalypso.iqm.unicamp.br (8.8.4/8.7.3/FreeBSD/2.1.5) with ESMTP id OAA19101 for ; Tue, 21 Jan 1997 14:23:40 -0200 (EDT) Received: from brimstone (brimstone.netspace.org [128.148.157.143]) by styx.iqm.unicamp.br (8.8.4/8.7.3/FreeBSD/2.1.5) with ESMTP id OAA17792 for ; Tue, 21 Jan 1997 14:23:35 -0200 (EDT) Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <35367-27020>; Tue, 21 Jan 1997 11:10:13 -0500 Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id LAA20690; Tue, 21 Jan 1997 11:09:36 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 2315798 for BUGTRAQ@NETSPACE.ORG; Tue, 21 Jan 1997 10:51:22 +1900 Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id KAA18463 for ; Tue, 21 Jan 1997 10:50:23 -0500 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from burgundy.eecs.harvard.edu (dholland@burgundy.eecs.harvard.edu [140.247.60.165]) by netspace.org (8.8.2/8.8.2) with ESMTP id XAA18655 for ; Mon, 20 Jan 1997 23:25:46 -0500 Received: (from dholland@localhost) by burgundy.eecs.harvard.edu (8.7.3/8.6.9) id XAA00454 for bugtraq@netspace.org; Mon, 20 Jan 1997 23:25:48 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Approved-By: David Holland Message-ID: <199701210425.XAA00454@burgundy.eecs.harvard.edu> Date: Mon, 20 Jan 1997 23:25:48 -0500 Reply-To: David Holland From: David Holland Subject: Re: talkd problem To: Multiple recipients of list BUGTRAQ In-Reply-To: <199701210246.TAA27525@zeus.theos.com> from "Theo de Raadt" at Jan 20, 97 07:46:28 pm Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > revision 1.4 > date: 1996/07/17 23:41:10; author: deraadt; state: Exp; lines: +10 -8 > buffer overflow from dholland@hcs.HARVARD.EDU; could do with some cleanup? > [...] > > I really like it when we get to fix a security hole 5 months before > everyone else. "Everyone else" should do something about that. 'cept for us, of course. :-) I *tried* to get the information out to people, but it's like pulling teeth sometimes. Anyone who's maintaining BSD user-level network tools and doesn't have my fixes, please feel free to get in touch with me. This talkd thing was one of the first things I found, and I've been racking up more in the past few months. :-/ -- - David A. Holland | VINO project home page: dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino From owner-freebsd-security Tue Jan 21 09:18:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA00539 for security-outgoing; Tue, 21 Jan 1997 09:18:42 -0800 (PST) Received: from whale.gu.kiev.ua (proxy.gu.kiev.ua [194.93.190.4]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id JAA00532 for ; Tue, 21 Jan 1997 09:18:32 -0800 (PST) Received: from trifork.gu.net (trifork.gu.net [194.93.190.194]) by whale.gu.kiev.ua (8.7.5/8.7.3) with ESMTP id TAA37978 for ; Tue, 21 Jan 1997 19:18:07 +0200 X-Received: from brimstone (brimstone.netspace.org [128.148.157.143]) by creator.gu.kiev.ua with ESMTP id SAA18737 for ; Tue, 21 Jan 1997 18:12:14 +0200 X-Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <34235-27020>; Tue, 21 Jan 1997 11:08:47 -0500 X-Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id LAA19976; Tue, 21 Jan 1997 11:04:36 -0500 X-Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 2315798 for BUGTRAQ@NETSPACE.ORG; Tue, 21 Jan 1997 10:51:22 +1900 X-Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id KAA18463 for ; Tue, 21 Jan 1997 10:50:23 -0500 Approved-By: ALEPH1@UNDERGROUND.ORG X-Received: from burgundy.eecs.harvard.edu (dholland@burgundy.eecs.harvard.edu [140.247.60.165]) by netspace.org (8.8.2/8.8.2) with ESMTP id XAA18655 for ; Mon, 20 Jan 1997 23:25:46 -0500 X-Received: (from dholland@localhost) by burgundy.eecs.harvard.edu (8.7.3/8.6.9) id XAA00454 for bugtraq@netspace.org; Mon, 20 Jan 1997 23:25:48 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Approved-By: David Holland Message-ID: <199701210425.XAA00454@burgundy.eecs.harvard.edu> Date: Mon, 20 Jan 1997 23:25:48 -0500 Reply-To: David Holland From: David Holland Subject: Re: talkd problem To: Multiple recipients of list BUGTRAQ In-Reply-To: <199701210246.TAA27525@zeus.theos.com> from "Theo de Raadt" at Jan 20, 97 07:46:28 pm ReSent-Date: Tue, 21 Jan 1997 19:17:57 +0200 (EET) ReSent-From: Andrew Stesin ReSent-To: security@freebsd.org ReSent-Message-ID: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > revision 1.4 > date: 1996/07/17 23:41:10; author: deraadt; state: Exp; lines: +10 -8 > buffer overflow from dholland@hcs.HARVARD.EDU; could do with some cleanup? > [...] > > I really like it when we get to fix a security hole 5 months before > everyone else. "Everyone else" should do something about that. 'cept for us, of course. :-) I *tried* to get the information out to people, but it's like pulling teeth sometimes. Anyone who's maintaining BSD user-level network tools and doesn't have my fixes, please feel free to get in touch with me. This talkd thing was one of the first things I found, and I've been racking up more in the past few months. :-/ -- - David A. Holland | VINO project home page: dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino From owner-freebsd-security Wed Jan 22 09:47:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA16348 for security-outgoing; Wed, 22 Jan 1997 09:47:25 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA16314; Wed, 22 Jan 1997 09:47:07 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id SAA08172; Wed, 22 Jan 1997 18:41:08 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id SAA17586; Wed, 22 Jan 1997 18:41:52 +0100 (MET) Message-Id: <3.0.32.19970122184152.00b7eec0@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 22 Jan 1997 18:41:54 +0100 To: Dave Andersen From: Eivind Eklund Subject: Re: FWIW Cc: Jaye Mathisen , hackers@freebsd.org, security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 09:33 AM 1/22/97 -0700, Dave Andersen wrote: > >> From: Eivind Eklund >> >> At 01:55 PM 1/21/97 -0800, Jaye Mathisen wrote: >> > >> > >> >8.8.5 of sendmail is out, apparently fixing some nasty security bug in >> >8.8.3 and 8.8.4. Since 8.8.4 is in the tree, we should upgrade ASAP. >> >> The security bug is reasonably minor; it is a question of not giving up >> group rights in some cases. The problem has been present quite a while (if >> it is the problem the description made it sound like), since 8.7.0 or >> something. Well, this was what I was informed. If I'd read BugTraq before reading freebsd-hackers, I would have known better. There is a MIME overflow bug - which at least some lints (flexelint, for sure) would have caught. A patch is included below. BTW: How do people feel about making FreeBSD (or at least the header files) flexelint clean? I could do the actual work (starting in a few weeks, as soon as I get my non-work machine home), but it would take a _LOT_ of commits, involving mainly comment addition to suppress warnings. (flexelint use control comments to suppress warnings). Real code changes would only happen in those cases where bugs were uncovered. >> (Not that we shouldn't fix it, but I'm not too concerned about it. Since >> you are concerned, perhaps you should upgrade the port? :) > > You should be. :) Sendmail 8.8.5 fixes a remotely exploitable buffer >overflow that (you guessed it) can let an outsider have root access to >your system. A local account is not required to take advantage of this >hole. I don't have to - I'm running an older version with only the bugfixes from newer versions, to avoid this kind of surprise. :) (In addition my host is firewalled, recieving all mail by UUCP from another secure host. Only DNS is available below 1024.) > (If you haven't upgraded to 8.8.5 yet, you should. Don't bother waiting >for it to make it in to the tree. Sendmail 8.8.5 is available from >ftp.sendmail.org and ftp.cert.org). Patch for the serious bug (which is there, right enough, in 8.8.4, and probably 8.8.3): diff -r -c sendmail-8.8.4/src/mime.c sendmail-8.8.5/src/mime.c *** sendmail-8.8.4/src/mime.c Sun Nov 24 07:27:26 1996 --- sendmail-8.8.5/src/mime.c Tue Jan 14 17:21:22 1997 *************** *** 36,42 **** # include #ifndef lint ! static char sccsid[] = "@(#)mime.c 8.51 (Berkeley) 11/24/96"; #endif /* not lint */ /* --- 36,42 ---- # include #ifndef lint ! static char sccsid[] = "@(#)mime.c 8.54 (Berkeley) 1/14/97"; #endif /* not lint */ /* *************** *** 958,967 **** register char *p; char *cte; char **pvp; - u_char *obp; u_char *fbufp; char buf[MAXLINE]; - u_char obuf[MAXLINE + 1]; u_char fbuf[MAXLINE + 1]; char pvpbuf[MAXLINE]; extern u_char MimeTokenTab[256]; --- 958,965 ---- *************** *** 1045,1053 **** c2 = CHAR64(c2); *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); ! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || *--fbufp != '\r') fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); --- 1043,1052 ---- c2 = CHAR64(c2); *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); ! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || ! (fbufp > fbuf && *--fbufp != '\r')) fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); *************** *** 1057,1065 **** continue; c3 = CHAR64(c3); *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); ! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || *--fbufp != '\r') fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); --- 1056,1065 ---- continue; c3 = CHAR64(c3); *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); ! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || ! (fbufp > fbuf && *--fbufp != '\r')) fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); *************** *** 1069,1103 **** continue; c4 = CHAR64(c4); *fbufp = ((c3 & 0x03) << 6) | c4; ! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || *--fbufp != '\r') fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); fbufp = fbuf; } } - - /* force out partial last line */ - if (fbufp > fbuf) - { - *fbufp = '\0'; - putline((char *) fbuf, mci); - } } else { /* quoted-printable */ ! obp = obuf; while (fgets(buf, sizeof buf, e->e_dfp) != NULL) { ! if (mime_fromqp((u_char *) buf, &obp, 0, &obuf[MAXLINE] - obp) == 0) continue; ! putline((char *) obuf, mci); ! obp = obuf; } } if (tTd(43, 3)) printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); --- 1069,1105 ---- continue; c4 = CHAR64(c4); *fbufp = ((c3 & 0x03) << 6) | c4; ! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) { ! if (*--fbufp != '\n' || ! (fbufp > fbuf && *--fbufp != '\r')) fbufp++; *fbufp = '\0'; putline((char *) fbuf, mci); fbufp = fbuf; } } } else { /* quoted-printable */ ! fbufp = fbuf; while (fgets(buf, sizeof buf, e->e_dfp) != NULL) { ! if (mime_fromqp((u_char *) buf, &fbufp, 0, ! &fbuf[MAXLINE] - fbufp) == 0) continue; ! putline((char *) fbuf, mci); ! fbufp = fbuf; } + } + + /* force out partial last line */ + if (fbufp > fbuf) + { + *fbufp = '\0'; + putline((char *) fbuf, mci); } if (tTd(43, 3)) printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/ From owner-freebsd-security Thu Jan 23 04:12:50 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA16455 for security-outgoing; Thu, 23 Jan 1997 04:12:50 -0800 (PST) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA16446; Thu, 23 Jan 1997 04:12:45 -0800 (PST) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.3/8.6.9) id WAA29120; Thu, 23 Jan 1997 22:40:54 +1100 Date: Thu, 23 Jan 1997 22:40:54 +1100 From: Bruce Evans Message-Id: <199701231140.WAA29120@godzilla.zeta.org.au> To: angio@aros.net, eivind@dimaga.com Subject: Re: FWIW Cc: hackers@freebsd.org, mrcpu@cdsnet.net, security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >From owner-freebsd-hackers@freefall.freebsd.org Thu Jan 23 05:41:10 1997 >Received: from x.physics.usyd.edu.au (x.physics.usyd.edu.au [129.78.129.25]) by godzilla.zeta.org.au (8.8.3/8.6.9) with ESMTP id FAA26842 for ; Thu, 23 Jan 1997 05:36:19 +1100 >Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) by x.physics.usyd.edu.au (8.8.2/8.8.2) with ESMTP id FAA11762; Thu, 23 Jan 1997 05:35:40 +1100 (EST) >Received: from localhost (daemon@localhost) > by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA16465; > Wed, 22 Jan 1997 09:48:15 -0800 (PST) >Received: (from root@localhost) > by freefall.freebsd.org (8.8.5/8.8.5) id JAA16363 > for hackers-outgoing; Wed, 22 Jan 1997 09:47:28 -0800 (PST) >Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) > by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA16314; > Wed, 22 Jan 1997 09:47:07 -0800 (PST) >Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id SAA08172; Wed, 22 Jan 1997 18:41:08 +0100 (MET) >Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id SAA17586; Wed, 22 Jan 1997 18:41:52 +0100 (MET) >Message-Id: <3.0.32.19970122184152.00b7eec0@dimaga.com> >X-Sender: eivind@dimaga.com >X-Mailer: Windows Eudora Pro Version 3.0 (32) >Date: Wed, 22 Jan 1997 18:41:54 +0100 >To: Dave Andersen >From: Eivind Eklund >Subject: Re: FWIW >Cc: Jaye Mathisen , hackers@FreeBSD.ORG, > security@FreeBSD.ORG >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >Sender: owner-hackers@FreeBSD.ORG >X-Loop: FreeBSD.org >Precedence: bulk >Status: RO > >At 09:33 AM 1/22/97 -0700, Dave Andersen wrote: >> >>> From: Eivind Eklund >>> >>> At 01:55 PM 1/21/97 -0800, Jaye Mathisen wrote: >>> > >>> > >>> >8.8.5 of sendmail is out, apparently fixing some nasty security bug in >>> >8.8.3 and 8.8.4. Since 8.8.4 is in the tree, we should upgrade ASAP. >>> >>> The security bug is reasonably minor; it is a question of not giving up >>> group rights in some cases. The problem has been present quite a while (if >>> it is the problem the description made it sound like), since 8.7.0 or >>> something. > >Well, this was what I was informed. If I'd read BugTraq before reading >freebsd-hackers, I would have known better. There is a MIME overflow bug - >which at least some lints (flexelint, for sure) would have caught. A patch >is included below. > >BTW: How do people feel about making FreeBSD (or at least the header files) >flexelint clean? I could do the actual work (starting in a few weeks, as >soon as I get my non-work machine home), but it would take a _LOT_ of >commits, involving mainly comment addition to suppress warnings. >(flexelint use control comments to suppress warnings). Real code changes >would only happen in those cases where bugs were uncovered. > >>> (Not that we shouldn't fix it, but I'm not too concerned about it. Since >>> you are concerned, perhaps you should upgrade the port? :) >> >> You should be. :) Sendmail 8.8.5 fixes a remotely exploitable buffer >>overflow that (you guessed it) can let an outsider have root access to >>your system. A local account is not required to take advantage of this >>hole. > >I don't have to - I'm running an older version with only the bugfixes from >newer versions, to avoid this kind of surprise. :) >(In addition my host is firewalled, recieving all mail by UUCP from another >secure host. Only DNS is available below 1024.) > >> (If you haven't upgraded to 8.8.5 yet, you should. Don't bother waiting >>for it to make it in to the tree. Sendmail 8.8.5 is available from >>ftp.sendmail.org and ftp.cert.org). > >Patch for the serious bug (which is there, right enough, in 8.8.4, and >probably 8.8.3): > >diff -r -c sendmail-8.8.4/src/mime.c sendmail-8.8.5/src/mime.c >*** sendmail-8.8.4/src/mime.c Sun Nov 24 07:27:26 1996 >--- sendmail-8.8.5/src/mime.c Tue Jan 14 17:21:22 1997 >*************** >*** 36,42 **** > # include > > #ifndef lint >! static char sccsid[] = "@(#)mime.c 8.51 (Berkeley) 11/24/96"; > #endif /* not lint */ > > /* >--- 36,42 ---- > # include > > #ifndef lint >! static char sccsid[] = "@(#)mime.c 8.54 (Berkeley) 1/14/97"; > #endif /* not lint */ > > /* >*************** >*** 958,967 **** > register char *p; > char *cte; > char **pvp; >- u_char *obp; > u_char *fbufp; > char buf[MAXLINE]; >- u_char obuf[MAXLINE + 1]; > u_char fbuf[MAXLINE + 1]; > char pvpbuf[MAXLINE]; > extern u_char MimeTokenTab[256]; >--- 958,965 ---- >*************** >*** 1045,1053 **** > c2 = CHAR64(c2); > > *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); >! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || *--fbufp != '\r') > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >--- 1043,1052 ---- > c2 = CHAR64(c2); > > *fbufp = (c1 << 2) | ((c2 & 0x30) >> 4); >! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || >! (fbufp > fbuf && *--fbufp != '\r')) > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >*************** >*** 1057,1065 **** > continue; > c3 = CHAR64(c3); > *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); >! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || *--fbufp != '\r') > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >--- 1056,1065 ---- > continue; > c3 = CHAR64(c3); > *fbufp = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); >! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || >! (fbufp > fbuf && *--fbufp != '\r')) > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); >*************** >*** 1069,1103 **** > continue; > c4 = CHAR64(c4); > *fbufp = ((c3 & 0x03) << 6) | c4; >! if (*fbufp++ == '\n' || fbuf >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || *--fbufp != '\r') > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); > fbufp = fbuf; > } > } >- >- /* force out partial last line */ >- if (fbufp > fbuf) >- { >- *fbufp = '\0'; >- putline((char *) fbuf, mci); >- } > } > else > { > /* quoted-printable */ >! obp = obuf; > while (fgets(buf, sizeof buf, e->e_dfp) != NULL) > { >! if (mime_fromqp((u_char *) buf, &obp, 0, >&obuf[MAXLINE] - obp) == 0) > continue; > >! putline((char *) obuf, mci); >! obp = obuf; > } > } > if (tTd(43, 3)) > printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); >--- 1069,1105 ---- > continue; > c4 = CHAR64(c4); > *fbufp = ((c3 & 0x03) << 6) | c4; >! if (*fbufp++ == '\n' || fbufp >= &fbuf[MAXLINE]) > { >! if (*--fbufp != '\n' || >! (fbufp > fbuf && *--fbufp != '\r')) > fbufp++; > *fbufp = '\0'; > putline((char *) fbuf, mci); > fbufp = fbuf; > } > } > } > else > { > /* quoted-printable */ >! fbufp = fbuf; > while (fgets(buf, sizeof buf, e->e_dfp) != NULL) > { >! if (mime_fromqp((u_char *) buf, &fbufp, 0, >! &fbuf[MAXLINE] - fbufp) == 0) > continue; > >! putline((char *) fbuf, mci); >! fbufp = fbuf; > } >+ } >+ >+ /* force out partial last line */ >+ if (fbufp > fbuf) >+ { >+ *fbufp = '\0'; >+ putline((char *) fbuf, mci); > } > if (tTd(43, 3)) > printf("\t\t\tmime7to8 => %s to 8bit done\n", cte); > > >Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/ > From owner-freebsd-security Thu Jan 23 04:40:58 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA17400 for security-outgoing; Thu, 23 Jan 1997 04:40:58 -0800 (PST) Received: from magigimmix.xs4all.nl (magigimmix.xs4all.nl [194.109.6.25]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA17393 for ; Thu, 23 Jan 1997 04:40:55 -0800 (PST) Received: from cremers.globalxs.nl (ztm02-03.dial.xs4all.nl [194.109.32.36]) by magigimmix.xs4all.nl (8.7.6/XS4ALL) with SMTP id NAA09969 for ; Thu, 23 Jan 1997 13:40:45 +0100 (MET) Message-Id: <199701231240.NAA09969@magigimmix.xs4all.nl> Comments: Authenticated sender is From: "Ton Cremers" To: security@freefall.freebsd.org Date: Thu, 23 Jan 1997 13:42:36 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: security-digest V3 #4 Reply-to: cremers@xs4all.nl X-Confirm-Reading-To: cremers@xs4all.nl X-pmrqc: 1 Priority: normal X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Love your *digest* Would you be so kind as to send future issues to: mailto:museum-security@museum-security.org Thanks and regards, Ton Cremers =================================================== Information Books on the WWW: http://www.xs4all.nl/~cremers Book history timetabel: http://www.xs4all.nl/~cremers/timetab.html Website devoted to cultural property protection: http://www.xs4all.nl/~securma (mirrosite in USA: http://museum-security.org) useful information for libraries, museums, archives.. =================================================== From owner-freebsd-security Fri Jan 24 19:56:35 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA15906 for security-outgoing; Fri, 24 Jan 1997 19:56:35 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA15900 for ; Fri, 24 Jan 1997 19:56:27 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id OAA20652; Sat, 25 Jan 1997 14:59:03 +1100 (EST) Date: Sat, 25 Jan 1997 14:59:02 +1100 (EST) From: "Daniel O'Callaghan" To: freebsd-security@freebsd.org Subject: GNU tar vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ---------- Forwarded message ---------- Date: Sat, 25 Jan 1997 09:37:40 +1100 From: Ben Elliston To: Multiple recipients of list BUGTRAQ Subject: GNU tar vulnerability I reported the following vulnerability to AUSCERT, but they weren't interested. People on this list might be, though! GNU tar is lazy about file creation modes and file owners when unpacking a tar file. Because GNU tar defaults to creating files owned by the userid running tar when the username is not found on your system, it can be possible to inadvertantly create setuid root programs. Let me give you an example: On machine A, as user "fred" (uid doesn't matter), use gtar to create a tar file of the directory ~/files. Inside the subdirectory, place a copy of /bin/bash and, as fred, make the program setuid fred (the mode 4755 works well). Set the tar file to someone on machine B where the user "fred" does not exist and have them unpack the directory somewhere. Since "fred" does not exist on machine B and gtar is being run as root, you have created a world-executable setuid-root shell. I stumbled on this when using a `tar | rsh tar' pipeline to transfer a bunch of home directories from one machine to another. I thought all users on the source machine existed on the destination, but this was not the case. Furthermore, for all files owned by the users not on both machines, they were created with ownership to root . . including some setuid programs which were now setuid root! It's very, very easy to get caught out by this. I'd like to see GNU tar strip the setuid bit off files it has to revert the ownership for due to an unknown original owner. Ben. -- Ben Elliston From owner-freebsd-security Sat Jan 25 08:07:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA06428 for security-outgoing; Sat, 25 Jan 1997 08:07:33 -0800 (PST) Received: from comtat.kazan.su (mihi@comtat.kazan.su [193.125.80.35]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA06423 for ; Sat, 25 Jan 1997 08:07:23 -0800 (PST) Received: (from mihi@localhost) by comtat.kazan.su (8.8.0/8.7.Ru) id TAA20535 for freebsd-security@freebsd.org; Sat, 25 Jan 1997 19:07:07 +0300 (MSK) Date: Sat, 25 Jan 1997 19:07:07 +0300 (MSK) From: "Michael's list account" Message-Id: <199701251607.TAA20535@comtat.kazan.su> To: freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe