MCI Data Systems Division internetMCI Security Group MIIGS / MEALS Security Alert Report Name: MIIGS / MEALS AlertN Report Number: iMCISE:IMCIMIIGS:080395:01:P1R1 Report Date: 8/3/94 Report Format: Formal Report Priority: Urgent Report Classification: None Report Distribution: MCI Internal Internet Gateway Security (MIIGS) / MCI Emergancy Alert List (MEALS) ---------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- A major security hole in the Linux version of 'vacation' has been detected and corrected. This hole affects version 1.0 of 'vacation' as ported to Linux by Harald Milz (from Eric Allman's original BSD source) and found on sunsite.unc.edu and other FTP sites (and thus commonly used on Linux systems). Note: The hole was introduced in the Linux port/version and does not appear to affect other, non-Linux-specific, versions of vacation. The hole involved passing the Subject: and From: headers of the incoming e-mail message to 'sed' and 'sendmail' via a system() call. The extreme danger of this, especially in a program that is taking input from remote systems, should be apparent to most people that are familiar with the system() call internals. Thanks go to Olaf Kirch for detecting this hole and for coding an initial fix, and to Harald Milz for enhancing Olaf's fix to provide the same functionality as his (Harald's) previous version. Version 1.1 (recently uploaded to sunsite.unc.edu) is a "safe" version. UNDER _NO_ CIRCUMSTANCES SHOULD VERSION 1.0 BE USED! Here is the LSM entry for the updated version: Begin3 Title: Automatic mail answering program for Linux Version: 1.1 Entered-Date: July 29, 1995 Description: This is the port of the 386bsd vacation program to Linux. Vacation is the automatic mail answering program found on many Unix systems. This is a security fixed version. PLEASE DON'T USE vacation-1.0 ANY LONGER! Keywords: vacation, mail answering Author: Eric Allman (?) Maintained-By: Harald Milz (hm@seneca.ix.de) Primary-Site: sunsite.unc.edu /pub/Linux/system/Mail/mailhandlers 28 KB vacation-1.1.tar.gz Original-Site: agate.berkeley.edu (as of Nov 16, 1993) Platforms: GCC 2.6.3, libc 5.0.9 or libc 4.7.2 Copying-Policy: Copyright (c) 1983, 1987 Regents of the University of California changes relative to the original version: GPL End In addition to Sunsite, the updated version is available in linux.nrao.edu:/pub/linux/security/vacation/. MD5 checksum of the tar-file on linux.nrao.edu is: f37ab91e18de1caa2c657509d8eb073b vacation-1.1.tar.gz Note: For those that get syslog messages from 'sendmail' saying "mailer prog died with signal 13" when running this new v1.1 (it's a SEGV; the 13 is octal), try the following patch (Harald plans on adding this, as well as a couple of other slight modifications that I have made, in a future public update to the newly-released v1.1): diff -u --recursive 1.1-hm/vacation.c 1.1/vacation.c --- 1.1-hm/vacation.c Sat Jul 29 18:08:57 1995 +++ 1.1/vacation.c Sun Jul 30 13:39:41 1995 @@ -184,8 +184,8 @@ setreply(); (void) gdbm_close(db); sendmessage(pw->pw_name); - } - (void) gdbm_close(db); + } else + (void) gdbm_close(db); exit(0); /* NOTREACHED */ } - -- Jeff Uphoff - systems/network admin. | juphoff@nrao.edu National Radio Astronomy Observatory | jeff.uphoff@linux.org Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMB+wBrxzFUpUTHgFAQGuwwQA1XLiDP93tUE84d0nQOz34iM6GtHBF4AT 9IXsHNrgZpAwUcbYsYTlmvICrrxqyozBkfqGYTpH44ajV5dGcqb9FZmyO//x7/JY LaejDEnp8ByigDf0++w7cxoRF7gwWFeNq2WvpFgbgqLWEer+Ci/mBKkEo0FY397E TQWmk4ekFJ8= =akI7 -----END PGP SIGNATURE----- "Success through teamwork" =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335