syd@DSI.COM (Syd Weinstein) (10/24/89)
Summary: This is an official patch for elm 2.2 system. Please apply it.
Priority: HIGH
Security patch for default mailboxes to prevent unauthorized access
From: Syd
Change in Filter Error message for missing variable
From: Andrea
Fix: From rn, say "| patch -p -N -d DIR", where DIR is your elm source
directory. Outside of rn, say "cd DIR; patch -p -N <thisarticle".
If you don't have the patch program, apply the following by hand,
or get patch (version 2.0, latest patchlevel).
After patching:
make
make install
If patch indicates that patchlevel is the wrong version, you may need
to apply one or more previous patches, or the patch may already
have been applied. See the patchlevel.h file to find out what has or
has not been applied. In any event, don't continue with the patch.
If you are missing previous patches they can be obtained from our:
archive server.
Syd Weinstein
elm@DSI.COM
The patches are available from the dsinc archive server
Send the following message to archive-server@DSI.COM for
a list of available patches:
Subject: patch list
send index elm
Index: hdrs/patchlevel.h
Prereq: 12
*** ../elm2.2/hdrs/patchlevel.h Wed Oct 18 20:54:38 1989
--- hdrs/patchlevel.h Wed Oct 18 20:55:53 1989
***************
*** 1 ****
! #define PATCHLEVEL 12
--- 1 ----
! #define PATCHLEVEL 13
Index: filter/actions.c
Prereq: 2.4
*** ../elm2.2/filter/actions.c Thu Mar 30 10:33:56 1989
--- filter/actions.c Mon Oct 23 10:34:53 1989
***************
*** 1,8 ****
! static char rcsid[] ="@(#)$Id: actions.c,v 2.4 89/03/25 21:45:10 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.4 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
--- 1,8 ----
! static char rcsid[] ="@(#)$Id: actions.c,v 2.4.1.1 89/10/23 10:34:27 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.4.1.1 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
***************
*** 14,19 ****
--- 14,23 ----
*
*******************************************************************************
* $Log: actions.c,v $
+ * Revision 2.4.1.1 89/10/23 10:34:27 syd
+ * Fix missing variable in error message
+ * From: Adrian Miranda (kralc!ade)
+ *
* Revision 2.4 89/03/25 21:45:10 syd
* Initial 2.2 Release checkin
*
***************
*** 83,89 ****
if ((pipefd = popen(buffer, "w")) == NULL) {
if (outfd != NULL)
! fprintf(outfd, "filter (%s): popen %s failed!\n", buffer);
sprintf(buffer, "((%s %s %s ; %s %s) & ) < %s &",
sendmail , smflags, address, remove_cmd, tempfile, tempfile);
system(buffer);
--- 87,93 ----
if ((pipefd = popen(buffer, "w")) == NULL) {
if (outfd != NULL)
! fprintf(outfd, "filter (%s): popen %s failed!\n", username, buffer);
sprintf(buffer, "((%s %s %s ; %s %s) & ) < %s &",
sendmail , smflags, address, remove_cmd, tempfile, tempfile);
system(buffer);
***************
*** 198,205 ****
char buffer[SLEN];
if (verbose && outfd != NULL)
! fprintf(outfd, "filter (%s): Executing %s\n",
! username, command);
if (! show_only) {
sprintf(buffer, "%s %s.%d | %s", cat, filter_temp, getpid(), command);
--- 202,208 ----
char buffer[SLEN];
if (verbose && outfd != NULL)
! fprintf(outfd, "filter (%s): Executing %s\n", username, command);
if (! show_only) {
sprintf(buffer, "%s %s.%d | %s", cat, filter_temp, getpid(), command);
Index: hdrs/elm.h
Prereq: 2.22
*** ../elm2.2/hdrs/elm.h Fri Apr 28 16:05:26 1989
--- hdrs/elm.h Mon Oct 23 14:18:29 1989
***************
*** 1,8 ****
! /* $Id: elm.h,v 2.22 89/04/28 14:48:16 syd Exp $ */
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.22 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
--- 1,8 ----
! /* $Id: elm.h,v 2.22.1.1 89/10/23 14:18:18 syd Exp $ */
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.22.1.1 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
***************
*** 14,19 ****
--- 14,23 ----
*
*******************************************************************************
* $Log: elm.h,v $
+ * Revision 2.22.1.1 89/10/23 14:18:18 syd
+ * Add errno for can_access checking
+ * From: Syd
+ *
* Revision 2.22 89/04/28 14:48:16 syd
* This reinstates elm 2.1 functionality of saving a copy of an outbound
* message by name only if the folder preexists, while keeping the new
***************
*** 32,37 ****
--- 36,42 ----
#include <stdio.h>
#include <fcntl.h>
+ #include <errno.h>
#include "../hdrs/curses.h"
#include "../hdrs/defs.h"
Index: src/elm.c
Prereq: 2.35
*** ../elm2.2/src/elm.c Mon Jun 19 17:16:55 1989
--- src/elm.c Mon Oct 23 14:22:38 1989
***************
*** 1,8 ****
! static char rcsid[] = "@(#)$Id: elm.c,v 2.35 89/06/19 16:57:29 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.35 $ $State: Exp $
*
* This file and all associated files and documentation:
* Copyright (c) 1986, 1987 Dave Taylor
--- 1,8 ----
! static char rcsid[] = "@(#)$Id: elm.c,v 2.35.1.1 89/10/23 14:22:35 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.35.1.1 $ $State: Exp $
*
* This file and all associated files and documentation:
* Copyright (c) 1986, 1987 Dave Taylor
***************
*** 15,20 ****
--- 15,24 ----
*
*******************************************************************************
* $Log: elm.c,v $
+ * Revision 2.35.1.1 89/10/23 14:22:35 syd
+ * Security fix for default mail box
+ * From: Syd
+ *
* Revision 2.35 89/06/19 16:57:29 syd
* Fixed where pressing | to pipe a message when there is not any
* mail caused a segmentation error signal to occur.
***************
*** 98,103 ****
--- 102,116 ----
fflush(stdin); /* just to be sure... */
last_in_folder = message_count;
pageon = header_page;
+
+ if ((errno = can_access(cur_folder, READ_ACCESS)) != 0) {
+ dprint(1, (debugfile,
+ "Error: given file %s as folder - unreadable (%s)!\n",
+ cur_folder, error_name(errno)));
+ fprintf(stderr,"Can't open folder '%s' for reading!\n", cur_folder);
+ leave();
+ }
+
newmbox(cur_folder, TRUE); /* last won't be touched! */
clear_error();
header_page = pageon;
Index: src/init.c
Prereq: 2.30.1.1
*** ../elm2.2/src/init.c Wed Oct 18 20:54:42 1989
--- src/init.c Mon Oct 23 14:22:40 1989
***************
*** 1,8 ****
! static char rcsid[] = "@(#)$Id: init.c,v 2.30.1.1 89/09/20 14:42:10 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.30.1.1 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
--- 1,8 ----
! static char rcsid[] = "@(#)$Id: init.c,v 2.30.1.2 89/10/23 14:22:39 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.30.1.2 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
***************
*** 14,19 ****
--- 14,23 ----
*
*******************************************************************************
* $Log: init.c,v $
+ * Revision 2.30.1.2 89/10/23 14:22:39 syd
+ * Security fix for default mail box
+ * From: Syd
+ *
* Revision 2.30.1.1 89/09/20 14:42:10 syd
* Fix typo in define of signal routines
*
***************
*** 272,287 ****
exit(0);
}
! /* check for permissions only if not default mail file */
! if(strcmp(requestedmfile, defaultfile) != 0) {
! if ((errno = can_access(requestedmfile, READ_ACCESS))) {
! dprint(1, (debugfile,
! "Error: given file %s as folder - unreadable (%s)!\n",
! requestedmfile, error_name(errno)));
! fprintf(stderr,"Can't open folder '%s' for reading!\n",
! requestedmfile);
! Raw(OFF);
! exit(1);
}
}
--- 276,293 ----
exit(0);
}
! /* check for permissions only if not send only mode file */
! if (! mail_only) {
! if ((errno = can_access(requestedmfile, READ_ACCESS)) != 0) {
! if (strcmp(requestedmfile, defaultfile) != 0 || errno != ENOENT) {
! dprint(1, (debugfile,
! "Error: given file %s as folder - unreadable (%s)!\n",
! requestedmfile, error_name(errno)));
! fprintf(stderr,"Can't open folder '%s' for reading!\n",
! requestedmfile);
! Raw(OFF);
! exit(1);
! }
}
}
Index: src/quit.c
Prereq: 2.16
*** ../elm2.2/src/quit.c Mon Apr 24 20:04:06 1989
--- src/quit.c Mon Oct 23 14:22:34 1989
***************
*** 1,8 ****
! static char rcsid[] = "@(#)$Id: quit.c,v 2.16 89/04/19 13:11:41 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.16 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
--- 1,8 ----
! static char rcsid[] = "@(#)$Id: quit.c,v 2.16.1.1 89/10/23 14:22:21 syd Exp $";
/*******************************************************************************
! * The Elm Mail System - $Revision: 2.16.1.1 $ $State: Exp $
*
* Copyright (c) 1986, 1987 Dave Taylor
* Copyright (c) 1988, 1989 USENET Community Trust
***************
*** 14,19 ****
--- 14,23 ----
*
*******************************************************************************
* $Log: quit.c,v $
+ * Revision 2.16.1.1 89/10/23 14:22:21 syd
+ * Security fix for default mail box
+ * From: Syd
+ *
* Revision 2.16 89/04/19 13:11:41 syd
* Fix help message range
*
***************
*** 29,35 ****
--- 33,42 ----
**/
#include "headers.h"
+ #include <errno.h>
+ extern int errno; /* system error number on failure */
+
long bytes();
quit(prompt)
***************
*** 63,68 ****
--- 70,83 ----
* changed for its own purposes */
return(FALSE);
+ if ((errno = can_access(cur_folder, READ_ACCESS)) != 0) {
+ dprint(1, (debugfile,
+ "Error: given file %s as folder - unreadable (%s)!\n",
+ cur_folder, error_name(errno)));
+ fprintf(stderr,"Can't open folder '%s' for reading!\n", cur_folder);
+ leave();
+ }
+
newmbox(cur_folder, FALSE);
return(TRUE);
}
***************
*** 140,147 ****
/* Make sure this is a file the user can open, unless it's the
* default mailfile, which is openable even if empty */
! if (strcmp(newfile, defaultfile) != 0) {
! if (can_access(newfile, READ_ACCESS)) {
error1("Can't open folder '%s' for reading!", newfile);
continue; /* prompt again */
}
--- 155,162 ----
/* Make sure this is a file the user can open, unless it's the
* default mailfile, which is openable even if empty */
! if ((errno = can_access(newfile, READ_ACCESS)) != 0 ) {
! if (strcmp(newfile, defaultfile) != 0 || errno != ENOENT) {
error1("Can't open folder '%s' for reading!", newfile);
continue; /* prompt again */
}
Index: Patchlist
*** ../elm2.2/Patchlist Mon Oct 23 14:41:57 1989
--- Patchlist Mon Oct 23 14:42:14 1989
***************
*** 1,3 ****
--- 1,13 ----
+ Subject: elm 2.2 Patch #13
+ Date: Mon Oct 23 14:40:29 EDT 1989 (Creation, not message date)
+ Priority: HIGH
+
+ Security patch for default mailboxes to prevent unauthorized access
+ From: Syd
+
+ Change in Filter Error message for missing variable
+ From: Andrea
+
Subject: elm 2.2 Patch #12
Date: Wed Oct 18 20:58:47 EDT 1989 (Creation, not message date)
Priority: MEDIUM
--
=====================================================================
Sydney S. Weinstein, CDP, CCP Elm Coordinator
Datacomp Systems, Inc. Voice: (215) 947-9900
syd@DSI.COM or {bpa,vu-vlsi}!dsinc!syd FAX: (215) 938-0235