Security fixes in renattach 1.2.1e
  2004-10-03 13:00 CDT

EXECUTIVE SUMMARY
    A security weakness exists in renattach 1.2.0 and 1.2.1, although
    there DOES NOT appear to be a practical way to exploit the code for
    remote access, arbitrary execution, or other immediate damage. The
    weakness only applies to the --pipe facility. The problem has been
    fixed in beta version 1.2.1e (soon to become 1.2.2 release). Sites
    testing 1.2.1e should read the new instructions for --pipe, below.
    Your feedback on the 1.2.1e build is requested, as we prepare 1.2.2.

CURRENT VERSION
    https://www.pc-tools.net/beta/renattach/renattach-1.2.1e.tar.gz

DESCRIPTION OF PROBLEM

renattach 1.2.0 and 1.2.1 used the popen() function in order to provide
the --pipe facility, to send output to an external command. Internally,
popen() used sh which introduces shell manipulation risks. renattach
removes dangerous shell characters from the command line to reduce this
risk, but execution via shell is still inherently risky. Note that the
author has not been informed of any actual exploit or demonstration of an
attack that could lead to remote access. Immediate risk appears to be low.

DESCRIPTION OF FIX

This dangerous --pipe implementation has now been replaced (in 1.2.1e and
for the upcoming 1.2.2 release) with a direct fork/exec, using unmodified
original arguments. This entirely avoids shell interpretation problems. An
additional benefit is improved integration with (e.g.) Postfix. renattach
overhead has also decreased, since sh is no longer forked (fewer PIDs).

IMPORTANT NOTES ON MAKE AND INSTALL

Please consult the ChangeLog for a complete description of changes since 
1.2.1 release. The changes to the software have not yet been reflected in 
the man page or installation instructions.

Please check the build process and inform us of any errors. Some changes 
have been made in order to accommodate OS/2, win32, and other non-UNIXes.

The --pipe feature, if used, now has to be the last option on the command
line. The command name (specify full path) and arguments after --pipe are
taken as-is. DO NOT use quotation marks around this command to execute. 
Run with --verbose to see details on the command, arguments, and exit 
code of the external command.

For Postfix integration, /etc/postfix/master.cf should now contain:

/path/to/renattach -p /path/to/sendmail -i -f ${sender} -- ${recipient}

Note that quotation marks are no longer included in the command line.

-- 
Jem Berkes, SysDesign [ www.sysdesign.ca ]
Email: jberkes@pc-tools.net