Home page logo

bugtraq logo Bugtraq mailing list archives

Re: security hole in mailx
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Thu, 25 Jun 1998 12:07:18 -0600

Of course the OpenBSD mailx program isn't setuid or setgid.

But we did an audit of the source code anyways.  This particular
buffer overflow isn't possible in our code, since $HOME is ignored the
moment it becomes longer than MAXPATHNAMELEN.

We found and fixed numerous other problems in mailx.  If anyone
intends to make this program setuid or setgid, they need to do a
significant amount of work... or just copy our code.

But I don't gaurantee all problems are fixed in our version... since
we are not running setgid.  We use a different mechanism for mail
spool locking.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]