Re: sperl 5.00503 (and newer ;) exploit

["H. Peter Anvin" <hpa () TRANSMETA COM>]

Thomas Roessler wrote:
> On 2000-08-08 14:27:03 -0400, Greg A. Woods wrote:
>
> > I've been rather dismayed by the number of people posting patches
> > which claim to "fix" mailx, aka BSD Mail.  One could contend that
> > it's not even broken in the first place!
>
> Indeed.
>
> The fact that input to mailx (or to mailx mimicking /bin/mail)
> should be sanitized can be assumed to be well-known since - at
> least! - the days of CNews, which has some code to that avail in the
> scripts sending mail messages to administrators.  Failure to do so
> is plainly the fault of the calling application, and should not be
> taken as a reason for removing traditional and well-established
> behaviour.
>
> Just as well, the fact that the environment should be sanitized in a
> white-list approach before calling external programs from programs
> running setuid (and passing privileges to these external programs!)
> has been well-known for ages.  Not following this guideline is
> plainly the fault of the calling application.

For what it's worth, these kinds of issues with /bin/mail is part of why the draft Linux Standards Base (LSB) 
specification specifies a subset of the /usr/sbin/sendmail CLI (which doesn't mean it actually has to be Sendmail!) as 
the only recognized injection point for mail.

        -hpa

--
<hpa () transmeta com> at work, <hpa () zytor com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt