News Bug

[pmetzger () lehman com (Perry E. Metzger)]

[I am cc:ing this message to Henry Spencer.]

In the spirit of full disclosure which the bugtraq list was started:

Examination of the cnews control message processing reveals that the
scripts used to execute the control messages pass chunks of the
contents of those messages to "mail". If your cnews is installed in
the default manner on a BSD type system, /bin and /usr/bin come before
/usr/ucb in the path for the news executables and /bin/mail is
executed -- however, if /usr/ucb comes first in the path because of a
nonstandard installation /usr/ucb/mail gets run and tilde escapes,
including ~! -- the bad implications of this should be obvious.

I do not know if there are similar problems in INN.

This is apparently the security hole that some people have been
obliquely discussing.

What to do:

1) If /bin and /usr/bin are in the path of your news scripts first,
   you have nothing immediately to worry about. You might apply the
   following fixes anyway.
2) Most safely, replace references to "mail" with "/bin/mail".
3) Slightly less safely, assure that "/bin" and "/usr/bin" are in the
   path first. It is entirely possible that there is some way to force
   these to the end of the path using another trick -- I don't know
   how this might be done but shell scripts are tricky to plug all
   holes on. Therefore, I would do 2).
4) No matter what, assure that your scripts run as user "news" or
   otherwise as a non-root user. This will make sure that the impact
   of any other holes is minimized. The scripts should already be
   running this way in an ordinary installation, but yours might not
   be ordinary.

Perry Metzger