Re: Arbitrary Code Execution when using -x

spamass-milt-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arbitrary Code Execution when using -x

From:	Dan Nelson
Subject:	Re: Arbitrary Code Execution when using -x
Date:	Wed, 10 Mar 2010 13:13:21 -0600
User-agent:	Mutt/1.5.20 (2009-06-14)

In the last episode (Mar 09), Don Armstrong said:
> popen shouldn't be used with user data; there is arbitrary remote code
> execution when using -x.
> 
> You can temporarily disable -x; see
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228 for more
> details.

I've got a preliminary patch at
http://savannah.nongnu.org/bugs/index.php?29136 that replaces popen() with a
popenv() function that takes an execv-style argument array; it's untested at
the moment since I don't use -x myself.

-- 
        Dan Nelson
        address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

Arbitrary Code Execution when using -x, Don Armstrong, 2010/03/09
- Re: Arbitrary Code Execution when using -x, Dan Nelson <=
  - Re: Arbitrary Code Execution when using -x, Don Armstrong, 2010/03/10

Prev by Date: Arbitrary Code Execution when using -x
Next by Date: Re: Arbitrary Code Execution when using -x
Previous by thread: Arbitrary Code Execution when using -x
Next by thread: Re: Arbitrary Code Execution when using -x
Index(es):
- Date
- Thread