Re: Disable escapes to prevent command-injection attacks

bug-mailutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Disable escapes to prevent command-injection attacks

From:	Sergey Poznyakoff
Subject:	Re: Disable escapes to prevent command-injection attacks
Date:	Wed, 06 Oct 2021 21:45:08 +0200
User-agent:	MH (GNU Mailutils 3.13.90)

Quinn Comendant <quinn@strangecode.com> ha escrit:

> I recently learned of a vulnerability where an arbitrary command can
> be executed by root if the body of an email passed to `mail` contains
> unsanitized ~! or ~| escapes.

This has been fixed on July 19 (commit 4befcfd015).  The fix is included
in version 3.13.  Please, upgrade.

Regards,
Sergey

[Prev in Thread]

Current Thread

[Next in Thread]

Disable escapes to prevent command-injection attacks, Quinn Comendant, 2021/10/06
- Re: Disable escapes to prevent command-injection attacks, Sergey Poznyakoff <=
  - Re: Disable escapes to prevent command-injection attacks, Quinn Comendant, 2021/10/06

Prev by Date: Disable escapes to prevent command-injection attacks
Next by Date: Re: Disable escapes to prevent command-injection attacks
Previous by thread: Disable escapes to prevent command-injection attacks
Next by thread: Re: Disable escapes to prevent command-injection attacks
Index(es):
- Date
- Thread