Bugtraq mailing list archives
Vulnerability in metamail
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Fri, 24 Oct 1997 22:42:11 +0100
Ok Im sure the topic "vulnerability in metamail" has those who've been near the code at the very least unsuprised. The right things to do with metamail are either a) Use it as a course example on why not to write programs in sh b) Throw it out and write it in C For the moment however this one appears to be covered ok by using uudecode's -o option to force the output file. A couple of scripts in metamail (notably sun-audio-file) blindly uudecode something assuming the filename will be reasonable. It does do things in a /tmp dir but if you know someones home dir and bung in a full path then suprise suprise it uudecodes where asked - so you can send people sun-audio-file .rhosts for example. It seems to be sufficient to change from if (! $?METAMAIL_TMPDIR) then set METAMAIL_TMPDIR=/tmp endif cd ${METAMAIL_TMPDIR} uudecode < $1 audiotool audio-file To use uudecode <$1 -o audio-file This isnt the only problem file tho. This seems affect anybody using metamail - thats generally folks using Elm and things like Andrew in some cases. Several Linux distributions ship a metamail kit. A fix for Redhat 4.x is now available on ftp.redhat.com. Alan
Current thread:
- Re: Possible SERIOUS bug in open()? Aleph One (Oct 23)
- a bug in IRIX open() as well [was Re: Possible SERIOUS bug in Mike Kienenberger (Oct 24)
- Vulnerability in metamail Alan Cox (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Theo de Raadt (Oct 24)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 24)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)
- Re: Possible SERIOUS bug in open()? Mark E. Mallett (Oct 25)
- SECURITY: metamail update (fwd) Raymond Dijkxhoorn (Oct 25)
- Re: Possible SERIOUS bug in open()? Tim Newsham (Oct 25)