|
On Mon, Apr 24, 2000, 3APA3A wrote:
> Topic:
> unsafe fgets() in sendmail's mail.local
> 1. Possibility to insert LMTP commands into e-mail message
> 2. Possibility of deadlock between sendmail and mail.local
> 3. Possibility to corrupt user's mailbox
> 4. Possibility to change e-mail headers of the message in user's
> mailbox
> Vulnerable software:
> Problems 1 and 2: sendmail before 8.10.0 (8.9.3 tested), all
> platforms
> Problems 3 and 4: sendmail 8.10.0 and 8.10.1 (8.10.1 tested)
> under Solaris only
Thanks for the notification and your help to create a patch.
The attached patch will be in the next release of sendmail.
PS: Content-Length: shouldn't be used anyway :-)
|
