Synopsis: Fixes argument passing security problems with /usr/bin/vacation.
NetBSD versions: 1.0, 1.1, 1.2, 1.2.1, and NetBSD-current prior to 19970828.
Thanks to: David Sacerdote, SNI.
Reported by: SNI advisory.

Index: vacation.c
===================================================================
RCS file: /cvsroot/src/usr.bin/vacation/vacation.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -c -r1.8 -r1.9
*** vacation.c	1997/05/17 20:24:26	1.8
--- vacation.c	1997/08/28 08:13:41	1.9
***************
*** 1,4 ****
! /*	$NetBSD: vacation.c,v 1.8 1997/05/17 20:24:26 pk Exp $	*/
  
  /*
   * Copyright (c) 1983, 1987, 1993
--- 1,4 ----
! /*	$NetBSD: vacation.c,v 1.9 1997/08/28 08:13:41 mrg Exp $	*/
  
  /*
   * Copyright (c) 1983, 1987, 1993
***************
*** 43,49 ****
  #if 0
  static char sccsid[] = "@(#)vacation.c	8.2 (Berkeley) 1/26/94";
  #endif
! static char rcsid[] = "$NetBSD: vacation.c,v 1.8 1997/05/17 20:24:26 pk Exp $";
  #endif /* not lint */
  
  /*
--- 43,49 ----
  #if 0
  static char sccsid[] = "@(#)vacation.c	8.2 (Berkeley) 1/26/94";
  #endif
! static char rcsid[] = "$NetBSD: vacation.c,v 1.9 1997/08/28 08:13:41 mrg Exp $";
  #endif /* not lint */
  
  /*
***************
*** 424,432 ****
  		close(pvect[0]);
  		close(pvect[1]);
  		fclose(mfp);
! 		execl(_PATH_SENDMAIL, "sendmail", "-f", myname, from, NULL);
  		syslog(LOG_ERR, "vacation: can't exec %s: %s",
! 			_PATH_SENDMAIL, strerror(errno));
  		exit(1);
  	}
  	close(pvect[0]);
--- 424,433 ----
  		close(pvect[0]);
  		close(pvect[1]);
  		fclose(mfp);
! 		execl(_PATH_SENDMAIL, "sendmail", "-f", myname, "--", from,
! 		    NULL);
  		syslog(LOG_ERR, "vacation: can't exec %s: %s",
! 		    _PATH_SENDMAIL, strerror(errno));
  		exit(1);
  	}
  	close(pvect[0]);