Xref: utzoo news.admin:4068 news.sysadmin:1676 comp.mail.uucp:2339 Path: utzoo!attcan!uunet!van-bc!sl From: sl@van-bc.UUCP (pri=-10 Stuart Lynne) Newsgroups: news.admin,news.sysadmin,comp.mail.uucp Subject: Re: Dangerous hole in Usenet! Keywords: "it's a secret ... but they told me!" -- david dobkin Message-ID: <1971@van-bc.UUCP> Date: 24 Nov 88 23:45:58 GMT References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM> <800@mailrus.cc.umich.edu> <4833@bsu-cs.UUCP> <1961@van-bc.UUCP> <151@ecicrl.UUCP> Reply-To: sl@van-bc.UUCP (pri=-10 Stuart Lynne) Organization: Wimsey Associates, Vancouver, BC. Lines: 36 In article <151@ecicrl.UUCP> clewis@ecicrl.UUCP (Chris Lewis) writes: >In article <1961@van-bc.UUCP> sl@van-bc.UUCP (pri=-10 Stuart Lynne) writes: >>>In article <800@mailrus.cc.umich.edu> honey@citi.umich.edu (peter honeyman) >>>writes: >>>>the major hole has to do with handing certain news articles to >>>>sed|sh. > >>Simpler yet is to use unshar. >> >>It's designed to split up shar packages safely. And available in source so >>you can tune it to your system. > >Er, no. Examine yours very carefully - I haven't seen any version of >unshar yet (and I've seen quite a few go by) that does >anything more than scan through the file before finding a point where >it can start ramming stuff down /bin/sh. Eg: the version written in Ack! You're right. Almost. There are unshar's available for pc's that do everything themselves. In point of fact that's what I though I was running. Hadn't looked in those directories since '85. I'll dig around in the backup's and see what I can find. Anyone else who has unshar for a pc (as in personal computer, generic, not necessarily ibm) might look at retro-fitting to Unix and posting. It seems to me that when I was Mac'ing I had one running under Aztec C that had come from the Amiga world. It bascially understood a small repoitoire of commands, enough to unpack shar files. It wouldn't be too terribly hard to beef up the security on it to prevent most problems. -- Stuart.Lynne@wimsey.bc.ca {ubc-cs,uunet}!van-bc!sl Vancouver,BC,604-937-7532