*** RELEASE_NOTES.OLD	Sat Jan 20 16:05:41 1996
--- RELEASE_NOTES	Thu Jan 25 11:16:20 1996
***************
*** 1,9 ****
  			SENDMAIL RELEASE NOTES
! 	     @(#)RELEASE_NOTES	8.6.12.1 (Berkeley) 3/28/95
  
  This listing shows the version of the sendmail binary, the version
  of the sendmail configuration files, the date of release, and a
  summary of the changes in that release.
  
  8.6.12/8.6.12	95/03/28
  	Fix to IDENT code (it was getting the size of the reply buffer
--- 1,16 ----
  			SENDMAIL RELEASE NOTES
! 	     @(#)RELEASE_NOTES	8.6.13.1 (Berkeley) 1/25/96
  
  This listing shows the version of the sendmail binary, the version
  of the sendmail configuration files, the date of release, and a
  summary of the changes in that release.
+ 
+ 8.6.13/8.6.12	95/01/25
+ 	SECURITY: In some cases it was still possible for an attacker to
+ 		insert newlines into a queue file, thus allowing access to
+ 		any user (except root).
+ 	CONFIG: no changes -- it is not a bug that the configuration
+ 		version number is unchanged.
  
  8.6.12/8.6.12	95/03/28
  	Fix to IDENT code (it was getting the size of the reply buffer
*** src/headers.c.OLD	Thu Feb  9 12:21:58 1995
--- src/headers.c	Mon Feb  5 21:30:07 1996
***************
*** 33,39 ****
   */
  
  #ifndef lint
! static char sccsid[] = "@(#)headers.c	8.32 (Berkeley) 4/14/94";
  #endif /* not lint */
  
  # include <errno.h>
--- 33,39 ----
   */
  
  #ifndef lint
! static char sccsid[] = "@(#)headers.c	8.32.1.3 (Berkeley) 2/5/96";
  #endif /* not lint */
  
  # include <errno.h>
***************
*** 995,1012 ****
  		{
  			/* vanilla header line */
  			register char *nlp;
  
! 			(void) sprintf(obuf, "%s: ", h->h_field);
  			while ((nlp = strchr(p, '\n')) != NULL)
  			{
  				*nlp = '\0';
! 				(void) strcat(obuf, p);
  				*nlp = '\n';
  				putline(obuf, mci);
  				p = ++nlp;
! 				obuf[0] = '\0';
  			}
! 			(void) strcat(obuf, p);
  			putline(obuf, mci);
  		}
  	}
--- 995,1017 ----
  		{
  			/* vanilla header line */
  			register char *nlp;
+ 			register char *obp;
  
! 			(void) sprintf(obuf, "%.200s: ", h->h_field);
! 			obp = obuf + strlen(obuf);
  			while ((nlp = strchr(p, '\n')) != NULL)
  			{
  				*nlp = '\0';
! 				sprintf(obp, "%.*s",
! 					sizeof obuf - (obp - obuf) - 1, p);
  				*nlp = '\n';
  				putline(obuf, mci);
  				p = ++nlp;
! 				obp = obuf;
! 				if (*p != ' ' && *p != '\t')
! 					*obp++ = ' ';
  			}
! 			sprintf(obp, "%.*s", sizeof obuf - (obp - obuf) - 1, p);
  			putline(obuf, mci);
  		}
  	}
***************
*** 1152,1158 ****
  		firstone = FALSE;
  		*p = savechar;
  	}
! 	(void) strcpy(obp, "\n");
  	putline(obuf, mci);
  }
  /*
--- 1157,1163 ----
  		firstone = FALSE;
  		*p = savechar;
  	}
! 	*obp = '\0';
  	putline(obuf, mci);
  }
  /*
*** src/queue.c.OLD	Sun Mar  5 10:10:26 1995
--- src/queue.c	Thu Jan 25 11:10:28 1996
***************
*** 36,44 ****
  
  #ifndef lint
  #ifdef QUEUE
! static char sccsid[] = "@(#)queue.c	8.41.1.3 (Berkeley) 3/5/95 (with queueing)";
  #else
! static char sccsid[] = "@(#)queue.c	8.41.1.3 (Berkeley) 3/5/95 (without queueing)";
  #endif
  #endif /* not lint */
  
--- 36,44 ----
  
  #ifndef lint
  #ifdef QUEUE
! static char sccsid[] = "@(#)queue.c	8.41.1.4 (Berkeley) 1/25/96 (with queueing)";
  #else
! static char sccsid[] = "@(#)queue.c	8.41.1.4 (Berkeley) 1/25/96 (without queueing)";
  #endif
  #endif /* not lint */
  
***************
*** 205,211 ****
  
  	/* output type and name of data file */
  	if (e->e_bodytype != NULL)
! 		fprintf(tfp, "B%s\n", e->e_bodytype);
  	fprintf(tfp, "D%s\n", e->e_df);
  
  	/* message from envelope, if it exists */
--- 205,211 ----
  
  	/* output type and name of data file */
  	if (e->e_bodytype != NULL)
! 		fprintf(tfp, "B%s\n", denlstring(e->e_bodytype, TRUE, FALSE));
  	fprintf(tfp, "D%s\n", e->e_df);
  
  	/* message from envelope, if it exists */
***************
*** 325,331 ****
  		/* output the header: expand macros, convert addresses */
  		if (bitset(H_DEFAULT, h->h_flags))
  		{
! 			fprintf(tfp, "%s: %s\n", h->h_field, buf);
  		}
  		else if (bitset(H_FROM|H_RCPT, h->h_flags))
  		{
--- 325,333 ----
  		/* output the header: expand macros, convert addresses */
  		if (bitset(H_DEFAULT, h->h_flags))
  		{
! 			fprintf(tfp, "%s: %s\n",
! 				h->h_field,
! 				denlstring(buf, FALSE, TRUE));
  		}
  		else if (bitset(H_FROM|H_RCPT, h->h_flags))
  		{
***************
*** 342,348 ****
  			TrafficLogFile = savetrace;
  		}
  		else
! 			fprintf(tfp, "%s: %s\n", h->h_field, h->h_value);
  	}
  
  	/*
--- 344,354 ----
  			TrafficLogFile = savetrace;
  		}
  		else
! 		{
! 			fprintf(tfp, "%s: %s\n",
! 				h->h_field,
! 				denlstring(h->h_value, FALSE, TRUE));
! 		}
  	}
  
  	/*
*** src/util.c.OLD	Sun Mar  5 10:10:24 1995
--- src/util.c	Thu Feb  8 09:27:40 1996
***************
*** 33,39 ****
   */
  
  #ifndef lint
! static char sccsid[] = "@(#)util.c	8.39.1.5 (Berkeley) 3/5/95";
  #endif /* not lint */
  
  # include "sendmail.h"
--- 33,39 ----
   */
  
  #ifndef lint
! static char sccsid[] = "@(#)util.c	8.39.1.7 (Berkeley) 2/8/96";
  #endif /* not lint */
  
  # include "sendmail.h"
***************
*** 760,766 ****
  			(void) putc(*l, mci->mci_out);
  		fputs(mci->mci_mailer->m_eol, mci->mci_out);
  		if (*l == '\n')
! 			++l;
  	} while (l[0] != '\0');
  }
  /*
--- 760,773 ----
  			(void) putc(*l, mci->mci_out);
  		fputs(mci->mci_mailer->m_eol, mci->mci_out);
  		if (*l == '\n')
! 		{
! 			if (*++l != ' ' && *l != '\t' && *l != '\0')
! 			{
! 				(void) putc(' ', mci->mci_out);
! 				if (TrafficLogFile != NULL)
! 					(void) putc(' ', TrafficLogFile);
! 			}
! 		}
  	} while (l[0] != '\0');
  }
  /*
*** src/version.c.OLD	Tue Mar 28 18:27:07 1995
--- src/version.c	Thu Jan 25 10:57:56 1996
***************
*** 33,39 ****
   */
  
  #ifndef lint
! static char sccsid[] = "@(#)version.c	8.6.12.1 (Berkeley) 3/28/95";
  #endif /* not lint */
  
! char	Version[] = "8.6.12";
--- 33,39 ----
   */
  
  #ifndef lint
! static char sccsid[] = "@(#)version.c	8.6.13.1 (Berkeley) 1/25/96";
  #endif /* not lint */
  
! char	Version[] = "8.6.13";