From owner-freebsd-security  Fri Apr 14 03:57:31 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id DAA14421
          for security-outgoing; Fri, 14 Apr 1995 03:57:31 -0700
Received: from sovcom.kiae.su (sovcom.kiae.su [144.206.136.1])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id DAA14414
          for <freebsd-security@FreeBSD.org>; Fri, 14 Apr 1995 03:57:25 -0700
Received: by sovcom.kiae.su id AA05213
  (5.65.kiae-2 ); Fri, 14 Apr 1995 14:45:11 +0400
Received: by sovcom.KIAE.su (UUMAIL/2.0); Fri, 14 Apr 95 14:45:10 +0300
Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id OAA00385; Fri, 14 Apr 1995 14:34:15 +0400
To: Mike Pritchard <pritc003@maroon.tc.umn.edu>
Cc: freebsd-security@FreeBSD.org
References: <199504140852.DAA00743@mpp.com>
In-Reply-To: <199504140852.DAA00743@mpp.com>;
    from Mike Pritchard at Fri, 14 Apr 1995 03:52:08 -0500 (CDT)
Message-Id: <IHd-aZleJ1@astral.msk.su>
Organization: Olahm Ha-Yetzirah
Date: Fri, 14 Apr 1995 14:34:15 +0400
X-Mailer: Mail/@ [v2.32 FreeBSD]
From: "Andrey A. Chernov, Black Mage" <ache@astral.msk.su>
X-Class: Fast
Subject: Re: cvs commit: src/usr.sbin/cron/cron Makefile do_command.c
    bitstring.3 bitstring.h
Lines: 38
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Length: 1721
Sender: security-owner@FreeBSD.org
Precedence: bulk

In message <199504140852.DAA00743@mpp.com> Mike Pritchard writes:

>> ache        95/04/13 13:58:15
>> 
>>   Modified:    usr.sbin/cron/cron Makefile do_command.c
>>   Removed:     usr.sbin/cron/cron bitstring.3 bitstring.h
>>   Log:
>>   Really fix MAILTO hole by parsing spaces.
>>   Remove local bitstring copy

>I can also overrun the "mailcmd" buffer that the sendmail command + arguments 
>is sprintfed into by having a 1000 character MAILTO variable.

>Both of these are good examples of why suid root programs that work with
>user supplied arguments should only accept arguments that conform to a 
>strictly defined format.  Cron_popen() needs to be fixed to check that it 
>isn't going past the end of the argument array to fix the above problem 
>and do_command() should call snprintf() instead of sprintf() to prevent 
>overruns of the mailcmd buffer.

I'll try to look at, maybe even cron_popen() not needs fixing,
only count number addition to sscanf (NAME = %[^#\n])
can helps, but I am not shure yet...

>Again, changing cron to require that MAILTO only contain a valid local
>user name avoids both of these problems.

I don't understand, how local use names can fix overflow problems.
I don't understand advantage of local names too, you
can make .forward with all needed aliases in any case.
Manpage don't says that it can contain local users only,
it can be my home address f.e. (opposite to office address).

-- 
Andrey A. Chernov        : And I rest so composedly,  /Now, in my bed,
ache@astral.msk.su       : That any beholder  /Might fancy me dead -
FidoNet: 2:5020/230.3    : Might start at beholding me,  /Thinking me dead.
RELCOM Team,FreeBSD Team :         E.A.Poe         From "For Annie" 1849