Patch-ID# 100224-13 Keywords: mail, delivery, /bin/mail, sendmail Synopsis: SunOS 4.1.1,4.1.2,4.1.3: /bin/mail jumbo patch Date: Oct/31/94 Solaris Release: 1.1 SunOS release: 4.1.1, 4.1.2, 4.1.3,4.1.3C Unbundled Product: Unbundled Release: Topic: /bin/mail jumbo patch BugId's fixed with this patch: 1045636 1047340 1051832 1092987 1115042 1161618 Changes incorporated in this version: 1161618 Relevant Architecture: sparc NOTE: sun4 sun4c sun4m Obsoleted by: Problem Description: Bug ID: 1154720 --------------------------------- 4.x mail/rmail and ignores messages after single dot line. Bug ID: 1161618 --------------------------------- /bin/mail contains a race condition that may be exploited to obtain root access. Bug ID: 1092987 ------------------------------------------------ mail signal handlers cause recursing buss errors. Bug ID: 1051832 --------------------------------- rmail will occasionally dump core on sun when it gets bad input of a certain unknown type. running "strings" on the core file usually shows a line of the form host!host!host!host!host!... for several hundred characters. Bug ID: 1047340 --------------------------------- /bin/mail can be used to invoke a root shell /bin/mail /bin/rmail can be caused to invoke a root shell if given the (im)proper arguments. /bin/rmail can be caused to dump core and produce a uucp shell. Bug ID: 1045636 --------------------------------- /bin/mail is the local delivery agent for sendmail. In some particular instance, /bin/mail parse its argument incorrectly and therefore, mail are being drop into the bit bucket... If you have users that has "f" has the second character, you might want to try the following: (substitute "af" with any user with "f" as second character) From any machine except mailhost: /bin/lib/sendmail -t -v <