Path: utzoo!utgpu!watmath!uunet!bu-cs!bloom-beacon!tut.cis.ohio-state.edu!UF.MSC.UMN.EDU!fin
From: fin@UF.MSC.UMN.EDU ("Craig Finseth")
Newsgroups: gnu.emacs.bug
Subject: fixes for a security hole in movemail
Message-ID: <8812292256.AA08788@uf.msc.umn.edu>
Date: 29 Dec 88 21:56:56 GMT
Sender: daemon@tut.cis.ohio-state.edu
Distribution: gnu
Organization: GNUs Not Usenet
Lines: 35

Hello, Richard, from a person out of your past...

I'm a happy user of GNU-Emacs out here in Minnesota and -- not
surprizingly -- also the maintainer.

Unfortunately, GNU-Emacs has received a reputation as being "unsecure"
because of a hole in movemail, which must run as set uid "root" (at
least on our systems).

Fortunately, the fix is very easy:

starting at line 138:

#ifdef MAIL_USE_FLOCK
  if (access (inname, R_OK | W_OK) != 0)	<NEW
    pfatal_with_name (inname);			<NEW
  indesc = open (inname, O_RDWR);
#else /* if not MAIL_USE_FLOCK */
  if (access (inname, R_OK) != 0)		<NEW
    pfatal_with_name (inname);			<NEW
  indesc = open (inname, O_RDONLY);
#endif /* not MAIL_USE_FLOCK */


starting at line 156, add these lines:

  /* Should also check to ensure that, if outname is not present, its
     directory is writeable to the real uid */
  if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0)
    pfatal_with_name (outname);

and that's it.  Keep up the good work.

Craig A. Finseth			fin@msc.umn.edu [CAF13]
Minnesota Supercomputer Center, Inc.	(612) 624-3375