Xref: utzoo news.admin:4038 news.sysadmin:1628 comp.mail.uucp:2310
Path: utzoo!attcan!uunet!van-bc!sl
From: sl@van-bc.UUCP (pri=-10 Stuart Lynne)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Keywords: "it's a secret ... but they told me!" -- david dobkin
Message-ID: <1961@van-bc.UUCP>
Date: 20 Nov 88 20:38:23 GMT
References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM> <800@mailrus.cc.umich.edu> <4833@bsu-cs.UUCP>
Reply-To: sl@van-bc.UUCP (pri=-10 Stuart Lynne)
Organization: Wimsey Associates, Vancouver, BC.
Lines: 25

In article <4833@bsu-cs.UUCP> dhesi@bsu-cs.UUCP (Rahul Dhesi) writes:
>In article <800@mailrus.cc.umich.edu> honey@citi.umich.edu (peter honeyman)
>writes:
>>the major hole has to do with handing certain news articles to
>>sed|sh.

>Are we talking about automatic extraction of UUCP maps?  We do it here
>by first chroot(2)'ing to a small directory tree with just a few tools
>on it.  My code is based on John Quarterman's more complex package.

>I didn't realize that the danger of piping Usenet postings was a
>secret.

Simpler yet is to use unshar. 

It's designed to split up shar packages safely. And available in source so
you can tune it to your system.

Anyone attacking *any* shar file that arrives by news with /bin/sh
deserves what they get, even more so if they do it automatically.

I've been using it to unpack maps since it was posted. It works well.

-- 
Stuart.Lynne@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl     Vancouver,BC,604-937-7532