Patch-ID# 100224-13
Keywords: mail, delivery, /bin/mail, sendmail
Synopsis: SunOS 4.1.1,4.1.2,4.1.3: /bin/mail jumbo patch
Date: Oct/31/94

Solaris Release: 1.1
 
SunOS release: 4.1.1, 4.1.2, 4.1.3,4.1.3C

Unbundled Product:

Unbundled Release: 

Topic:  /bin/mail jumbo patch
 
BugId's fixed with this patch: 1045636 1047340 1051832 1092987 1115042 1161618

Changes incorporated in this version: 1161618

Relevant Architecture: sparc
    NOTE: sun4 sun4c sun4m

Obsoleted by:

Problem Description:

Bug ID: 1154720
---------------------------------
4.x mail/rmail and ignores messages after single dot line.

Bug ID: 1161618
---------------------------------
/bin/mail contains a race condition that may be exploited to
obtain root access.

Bug ID: 1092987 
------------------------------------------------
mail signal handlers cause recursing buss errors.

Bug ID: 1051832
---------------------------------
rmail will occasionally dump core on sun when it gets bad input
of a certain unknown type.  running "strings" on the core file
usually shows a line of the form host!host!host!host!host!...
for several hundred characters.

Bug ID: 1047340
---------------------------------
/bin/mail can be used to invoke a root shell
/bin/mail /bin/rmail can be caused to invoke a root shell if given the
        (im)proper arguments.
/bin/rmail can be caused to dump core and produce a uucp shell.


Bug ID: 1045636
---------------------------------
 /bin/mail is the local delivery agent for sendmail.  In
some particular instance, /bin/mail parse its argument incorrectly
and therefore, mail are being drop into the bit bucket...

If you have users that has "f" has the second character, you might want
to try the following: (substitute "af" with any user with "f" as second
character)

From any machine except mailhost:

/bin/lib/sendmail -t -v <<END
From: anyuser
to: anyuser
Subject: test
Cc: af          <-- substitute any username with second character as "f"
test

END

When the mail arrived on mailhost, sendmail process will invoke
/bin/mail with the following argument "/bin/mail -r anyuser -d af
anyuser".  Now you are in trouble.  The following are different
scenarios for /bin/mail.

1) /bin/mail -r anyuser -d af  <mailmessages            worked fine
2) /bin/mail -r anyuser -d anyone af ... <mailmessages  worked fine
3) /bin/mail -r anyuser -d af anyone ... <mailmessages  !!error!!

    in case (3), /bin/mail thinks that you want to read mail instead of
    delivering mail.  Therefore, mail messages is lost.

 
BugID: 1115042
---------------------------------
mail crashes when value for MAXLET exceeded.


INSTALL:

As root, make a backup copy of files to be patched: 

mv /bin/mail to /bin/mail.old
mv /bin/rmail to /bin/rmail.old

Now install the patched files:

cp `arch`/{4.1.1;4.1.2;4.1.3}/mail to /bin/mail
cp `arch`/{4.1.1;4.1.2;4.1.3}/rmail to /bin/rmail

Set correct permissions:

chmod 4111 /bin/mail
chmod 111 /bin/rmail
chmod 100 /bin/mail.old
chmod 100 /bin/rmail.old

