From: utzoo!decvax!cca!ima!johnl
Newsgroups: net.bugs.uucp,net.unix-wizards
Title: Important uucp security bug
Article-I.D.: ima.247
Posted: Wed Nov  3 16:08:00 1982
Received: Thu Nov  4 07:03:49 1982

You may have noticed X. files lying around in your uucp spool directory
which, when you look at them, appear to have been intended for other
sites.  This turns out to be the most obvious case of a general bug in
which any site that calls out can send files to sites other than the one
they should have gone to.  Quite a security hole, eh?  This problem is
most notable at sites which are polled by decvax, since decvax calls out
and gets hung up on a lot.  (Hint: decvax - try installing this soon.)

The problem is as follows.  When uucico calls a site and copies files
across, it opens a C. file for that site and reads command lines from it
one at a time.  If the connection should die before all of the command
lines in that file have been processed, and it then goes and calls a
second site, it continues reading command lines from that command file!
Oops.  Fortunately the fix is quite simple.  These changes are for System
III uucp, but I think the code is the same in V7 and BSD.

In cntrl() in cntrl.c near line 118:

	pnum = getpid();
	Wfile[0] = '\0';        /* ADD THIS NEW LINE JUST BEFORE top: */
top:
	DEBUG(4, "*** TOP ***  -  role=%d, ", role);


In anlwrk() in anlwrk.c near line 30, add these lines and adjust the
curly braces to match:

	if (file[0] == '\0') {  /* { IS NEW */
	/* begin new code */
		if(fp != NULL)
			fclose(fp);
		fp = NULL;
	/* end new code */
		return(0);
	}                       /* } IS NEW */

These changes just make sure that it closes any open command file when it
calls iswrk() to look for new work for a new system.  Yes, I have tested
this and hung up on myself and all and it really works.

John Levine, IECC, PO Box 349, Cambridge MA 02238; (617) 491-5450
decvax!cca!ima!johnl, harpo!esquire!ima!johnl, ucbvax!cbosgd!ima!johnl,
yale-co!jrl (all uucp), Levine@YALE (Arpa).


--------