Re: Debian not vulnerable to recent cron buffer overflow

[peter () NETPLEX COM AU (Peter Wemm)]

Marc Merlin wrote:
[..]
> > Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
> > covering a buffer overflow in the vixie cron package.  Debian has
> > discovered this bug two years ago and fixed it.  Therefore versions in
> > both, the stable and the unstable, distributions of Debian are not
> > vulnerable to this problem..
>
> Does anyone know  if Debian never sent the  fix to Paul Vixie, or  if it was
> sent and Paul "missed it"?

I'm not sure what or how it happened, but in FreeBSD at least this problem
was solved differently, and quite some time ago.  FreeBSD's cron doesn't
supply the arguments to sendmail, it uses sendmail -t and prints the
recipient name in the To: header, letting sendmail decide if it's a valid
recipient address or not.

revision 1.3
date: 1995/04/14 21:54:16;  author: ache;  state: Exp;  lines: +3 -2
Fix MAILTO hole by passing -t to sendmail
Submitted by: Mike Pritchard <pritc003 () maroon tc umn edu>

Cheers,
-Peter

--
Peter Wemm - peter () FreeBSD org; peter () yahoo-inc com; peter () netplex com au