Date: Fri, 12 Apr 2002 07:46:57 +0200 From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> To: security@freebsd.org Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Message-ID: <20020412074657.K58987@lagoon.freebsd.lublin.pl> In-Reply-To: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 11, 2002 at 02:12:01PM -0600 References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 11, 2002 at 02:12:01PM -0600, Brett Glass wrote: > Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly, > and monthly maintenance scripts, because they use sendmail rather > than /bin/mail. Nonetheless, the same patch should be applied to > FreeBSD's /bin/mail due to the possibility that other privileged > utilities (or user-written scripts) might use /bin/mail instead of > sendmail to create e-mail messages. FreeBSD's /usr/bin/mail doesn't accept ~! when working in non-interactive mode. lagoon:/home/venglin> echo "~\!touch foo" | mail venglin lagoon:/home/venglin> ls -la foo ls: foo: No such file or directory -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020412074657.K58987>