Red Hat Bugzilla – Bug 54466
Last security patch (Aug 28 2001, vetargs) doesn't work
Last modified: 2007-04-18 12:37:32 EDT
As in uucp-1.06.1-vetargs.patch:
/* The -I, -u and -x options are not permitted. */
if (!strncmp(zopts, "config", 6)) ...
if (!strncmp(zopts, "user", 4)) ...
was added to handle *long* options. But note that
this still not cures the situation: one can give
not the complete option names but only part of them:
uucp --confi /some/where
uucp --co /some/where
and so on. The only real solution I see here is to
modify *both* uuxqt and uucp, first one to pass some
additional (aka "--restricted") option to uucp, or
some environment variable, and second one is to check
it's args more strictly in case --restricted was given,
and refuse to execute if it finds an alarm.
For now, as it is, vetargs patch is useless, it "cures"
only minor "part" of the problem. Oh, that long options! ;)
BTW, it may be simpler to just disallow long options here at all and
handle `-' in *short* options case just like -I etc.
FIxed in pendning uccp errata re-release.