[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Disable escapes to prevent command-injection attacks
From: |
Quinn Comendant |
Subject: |
Re: Disable escapes to prevent command-injection attacks |
Date: |
Wed, 6 Oct 2021 16:41:48 -0500 |
On 06 Oct 2021 21:45:08, Sergey Poznyakoff wrote:
>> I recently learned of a vulnerability where an arbitrary command can
>> be executed by root if the body of an email passed to `mail` contains
>> unsanitized ~! or ~| escapes.
>
> This has been fixed on July 19 (commit 4befcfd015). The fix is included
> in version 3.13. Please, upgrade.
Thanks Sergey!
For the convenience of those who find this conversation later, here's the link
to the commit:
https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f
And the relevant bug report:
https://savannah.gnu.org/bugs/?60937
Regards,
Quinn