Here is the announcment for the next series of majordomo security
patches. Please DO NOT distribute this since it is not in its final
form.
The patch for new-list is enclosed. This does not result in a version
change. This patch IS NEEDED if you will be using any version of
majordomo prior to or INCLUDING majordomo 1.91.
I have implemented Brent's original patch for sendmail that uses the
-t flag to prevent having to pass any arguments on the command
line. This should fix all of that class of sendmail bugs.
Because of this and an addition to valid_addr I believe that the
second class of exploits is closed for all mailers including those
that must have the recipients supplied on the command line.
If you have a mailer that requires the use of the $to varible in its
invocation, please let me know what mailer it is.
Note these patches have only been minimally tested. I can't test them
fully since I am not on a secure line and I don't want to become root
from the USENIX terminal room.
===================================================================
RCS file: /sources/cvsrepos/majordomo/majordomo.cf,v
retrieving revision 1.15
diff -c -r1.15 majordomo.cf
*** 1.15 1994/05/07 18:32:25
--- majordomo.cf 1994/06/09 00:03:53
***************
*** 25,31 ****
$log = "$homedir/Log";
# $mailer -- What program and args do I use to send mail?
! $mailer = "/usr/lib/sendmail -f\$sender \$to";
# Majordomo will look for "get" and "index" files related to $list in
# directory "$filedir/$list$filedir_suffix", so set $filedir and
--- 25,31 ----
$log = "$homedir/Log";
# $mailer -- What program and args do I use to send mail?
! $mailer = "/usr/lib/sendmail -f\$sender -t";
# Majordomo will look for "get" and "index" files related to $list in
# directory "$filedir/$list$filedir_suffix", so set $filedir and
===================================================================
RCS file: /sources/cvsrepos/majordomo/majordomo.pl,v
retrieving revision 1.12.2.1
diff -c -r1.12.2.1 majordomo.pl
*** 1.12.2.1 1994/06/08 02:25:35
--- majordomo.pl 1994/06/09 00:01:22
***************
*** 241,247 ****
}
# Globals referenced by &set_mail* and &sendmail
! $mail_prog = "/usr/lib/sendmail -f\$sender \$to";
$mail_from = "Majordomo";
$mail_sender = "Majordomo-Owner";
--- 241,247 ----
}
# Globals referenced by &set_mail* and &sendmail
! $mail_prog = "/usr/lib/sendmail -f\$sender -t";
$mail_from = "Majordomo";
$mail_sender = "Majordomo-Owner";
***************
*** 359,364 ****
--- 359,369 ----
# if there's a "|" or a "/" in it, it's hostile
if (tr/|\//|\// != 0) {
+ &main'abort("HOSTILE ADDRESS $addr");
+ return undef;
+ }
+
+ if ( /^-/ ) {
&main'abort("HOSTILE ADDRESS $addr");
return undef;
}
===================================================================
RCS file: /sources/cvsrepos/majordomo/new-list,v
retrieving revision 1.3
diff -c -r1.3 new-list
*** 1.3 1994/05/02 17:31:31
--- new-list 1994/06/09 00:02:33
***************
*** 37,44 ****
$in_reply_to = $hdrs{"message-id"} . ", from " . $hdrs{"from"};
$list = $ARGV[0];
! open(MAIL, "|/usr/lib/sendmail -f$list-approval $reply_to $list-approval") ||
! die("Can't connect to sendmail: $!");
print MAIL <<"EOM";
To: $reply_to
--- 37,45 ----
$in_reply_to = $hdrs{"message-id"} . ", from " . $hdrs{"from"};
$list = $ARGV[0];
! open(MAIL, "|-") ||
! &do_exec_sendmail(split(' ',
! "/usr/lib/sendmail -f$list-approval -t"));
print MAIL <<"EOM";
To: $reply_to
***************
*** 83,85 ****
--- 84,91 ----
close(MAIL);
exit 0;
+
+ sub do_exec_sendmail {
+ exec(@_, "");
+ die("Failed to exec mailer \"@_\": $!");
+ }
===================================================================
RCS file: /sources/cvsrepos/majordomo/request-answer,v
retrieving revision 1.2.6.1
diff -c -r1.2.6.1 request-answer
*** 1.2.6.1 1994/06/08 02:25:38
--- request-answer 1994/06/09 00:05:22
***************
*** 38,44 ****
$list = $ARGV[0];
sub do_exec_sendmail {
! exec("/usr/lib/sendmail", "-f$list-request", "$reply_to") ||
die("Failed to exec sendmail");
}
--- 38,44 ----
$list = $ARGV[0];
sub do_exec_sendmail {
! exec("/usr/lib/sendmail", "-f$list-request", "-t") ||
die("Failed to exec sendmail");
}
===================================================================
RCS file: /sources/cvsrepos/majordomo/resend,v
retrieving revision 1.28.2.1
diff -c -r1.28.2.1 resend
*** 1.28.2.1 1994/06/08 02:25:40
--- resend 1994/06/09 00:02:03
***************
*** 441,449 ****
if (defined($opt_d)) {
# debugging, so just say it, don't do it
open(MAIL, ">-");
! print MAIL ">>> /usr/lib/sendmail -f$sendmail_sender $to\n";
} else {
! local(@mailer) = split(' ',"/usr/lib/sendmail -f$sendmail_sender $to");
open(MAIL, "|-") || &do_exec_sendmail(@mailer);
}
--- 441,449 ----
if (defined($opt_d)) {
# debugging, so just say it, don't do it
open(MAIL, ">-");
! print MAIL ">>> /usr/lib/sendmail -f$sendmail_sender -t\n";
} else {
! local(@mailer) = split(' ',"/usr/lib/sendmail -f$sendmail_sender -t");
open(MAIL, "|-") || &do_exec_sendmail(@mailer);
}
===================================================================
RCS file: /sources/cvsrepos/majordomo/sample.cf,v
retrieving revision 1.4
diff -c -r1.4 sample.cf
*** 1.4 1994/05/08 20:27:38
--- sample.cf 1994/06/09 00:11:41
***************
*** 29,35 ****
$log = "$homedir/Log";
# $mailer -- What program and args do I use to send mail?
! $mailer = "/usr/lib/sendmail -f\$sender \$to";
# Majordomo will look for "get" and "index" files related to $list in
# directory "$filedir/$list$filedir_suffix", so set $filedir and
--- 29,39 ----
$log = "$homedir/Log";
# $mailer -- What program and args do I use to send mail?
! # The variable $to can be interpolated into this command line,
! # however the $to variable is provided by the person sending mail,
! # and much mischief can be had by playing with this variable.
! # Use $to with care.
! $mailer = "/usr/lib/sendmail -f\$sender -t";
# Majordomo will look for "get" and "index" files related to $list in
# directory "$filedir/$list$filedir_suffix", so set $filedir and
-- John
John Rouillard
Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
rouilj@cs.umb.edu (preferred) Boston, MA, (617) 287-6480
==============================================================================
My employers don't acknowledge my existence much less my opinions.
|
|
