[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security hole in premail
On Fri, 20 Dec 1996, Mixmaster wrote:
> *** premail.orig Fri Dec 20 18:46:01 1996
> --- premail Fri Dec 20 18:55:54 1996
> ***************
> *** 3574,3579 ****
> --- 3574,3582 ----
> }
> for ($triesleft = 2; !$done && $triesleft; $triesleft--) {
> $pass = &getpass ($x);
> + if(!-O $ps) {
> + &error ("Secrets file exists and is owned by another user\n");
> + }
> $status = &decrypt_secrets ($ps_pgp, $ps, $pass);
> if (!-s $ps) { unlink $ps; }
> $done = (!$status && -e $ps);
That patch doesn't work. It will always return an error. I have tested the
following patch and it does work as intended:
*** premail.orig Wed Oct 30 22:25:10 1996
--- premail Sat Dec 21 15:45:41 1996
***************
*** 3631,3636 ****
--- 3631,3639 ----
$invoc .= ' > '.$ps;
$invoc .= ' 2> '.$errfile;
&pdv ("Invoking PGP as $invoc\n");
+ if(-e $ps) {
+ &error ("Premail secrets file already exists\n");
+ }
$status = &open_pgp ($invoc, $pass, '');
$err = &read_and_delete ($errfile);
&pdv ($err);
Sorry about the previous mistake.