The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #291 [Re: ~uucp/.forward] (1 message, 1355 bytes)
NOTICE: recognises the rights of all third-party works.


From: (Carl S. Gutekunst)
To: phage
Date: Sun 04:10:53 20/11/1988 EST
Subject: Re: ~uucp/.forward
References: [Thread Prev: 270] [Thread Next: 294] [Message Prev: 286] [Message Next: 287]

Rich Sez:
>I believe it is time to post information on the "rmail" hole NOW.

Arrggghhh. I don't need these moral dilemmas! While I don't care for Peter's
Security Glasnost, I'm not crazy about keeping all this stuff under the table,
either. Help! Spaf, lend me your wisdom.... If you guys say do it, I will. Of
course, I'll post sources for the new rmail.c as well.

Incidentally, I've been pretty unhappy about the general badmouthing UNIX
vendors have gotten, particularly Vernon Schryver's claim that posting these
security holes is the only way to get vendors to fix them. I *can't* be the
only vendor's R&D person who is banging his head against the wall over this
stuff. I mean, there's Barry Shein, and Paul Vixie, and.... But Vernon *is* a
vendor's R&D person, so maybe he's allowed to prod the rest of us? :-)

And what Peter said that started this latest mess:
>In that same vein [of security Glasnost], i offer the following honey danber
>"experiment." (sansfix!  if you have this bug, go bug your vendor.)

[hdbworm code follows.]

Yes, this vendor has that bug. :-( Peter will be pleased to know, though, that
someone did a quite exhaustive security cleanup job on uuxqt.c for SVR3.2 BNU,
and this hole was fixed (along with several others). So those who get BNU from
Sun will not have this bug.  For those of you with source licenses, upgrade to
SVR3.2. For those of you with binary licenses, upgrade to SVR3.2....

4.3BSD has never had the hdbworm bug, and other UUCP versions are too stupid
to have it. (They don't support the 'R' uux JCL command.)

4.3BSD UUCP and SVR3.2 BNU react quite differently. 4.3BSD runs the job nor-
mally, and only sanity-checks the originator's address if something fails
(that is, it needs to send to the originator). It logs the error, and sends
mail to "hostname!postmaster" instead. SVR3.2 BNU checks the username immedi-
ately after parsing the JCL file; upon finding an illegal character, it just
writes a log message and discards the job.