Bugtraq mailing list archives
Re: An exploit for linux mh ver 6.8.4-5 ( update ) ...
From: miquels () CISTRON NL (Miquel van Smoorenburg)
Date: Mon, 23 Mar 1998 13:16:46 +0100
In article <6f1d0j$8n9$1 () defiant cistron nl>, Miquel van Smoorenburg <miquels () CISTRON NL> wrote:
In article <Pine.LNX.3.96.980321161207.2339A-100000 () mercury redhat com>, Erik Troan <ewt () REDHAT COM> wrote:On Sat, 21 Mar 1998, Catalin Mitrofan wrote:host (user):~>. .mh_profile bash#Thanks for finding this -- I just put a fix on ftp.redhat.com.I've tried this with the Debian mh_6.8.4-17 package, and nothing happens. (It prints a lot of junk and then exits). Also, mh_check is installed setgid mail, not setuid root.
I have checked the source, and the RedHat fix. It appears that the Debian mh_6.8.4-17 *is* vulnerable, but not with Catalin's exploit (would probably work with some hacking). I've placed a bugreport, and a patch, with severity "critical" into Debian's bugsystem. There should be a fix soon. Mike. -- Miquel van Smoorenburg | Our vision is to speed up time, miquels () cistron nl | eventually eliminating it.
Current thread:
- An exploit for linux mh ver 6.8.4-5 ( update ) ... Catalin Mitrofan (Mar 21)
- Re: An exploit for linux mh ver 6.8.4-5 ( update ) ... Erik Troan (Mar 21)
- <Possible follow-ups>
- Re: An exploit for linux mh ver 6.8.4-5 ( update ) ... Miquel van Smoorenburg (Mar 21)
- Re: An exploit for linux mh ver 6.8.4-5 ( update ) ... Miquel van Smoorenburg (Mar 23)