[Savannah-hackers] bug classified critical about mailx package

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] bug classified critical about mailx package

From:	mathieu
Subject:	[Savannah-hackers] bug classified critical about mailx package
Date:	Sat, 20 Apr 2002 17:40:32 +0200

http://bugs.debian.org/cgi-bin/bugreport.cgi?ar\&bug=143152


Package: mailx
Severity: critical
Tags: security patch upstream

        From http://www.deadly.org/article.php3?sid=20020413161803

"The mail(1) program can be made to execute arbitrary code in non
interactive mode. this can be exploited using cron and the system
startup scripts (by any local user with no privs) a patch is and
advisory is available on the advisory page."

        /usr/share/doc/mailx/copyright says "It is now based on
        OpenBSD in directory src/usr.bin/mail ...", so we're likely to
        be vulnerable.

        The deadly.org page contains an exploit, and OpenBSD has
        a patch ready.


====> maybe the subversion.gnu.org should be updated.


--
mathieu

 (( http://humeur.coleumes.org ))
 (( http://gpg.coleumes.org GPG KEY ))

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers] bug classified critical about mailx package, mathieu <=
- Re: [Savannah-hackers] bug classified critical about mailx package, Loic Dachary, 2002/04/20
  - Re: [Savannah-hackers] bug classified critical about mailx package, mathieu, 2002/04/20
    - Re: [Savannah-hackers] bug classified critical about mailx package, Guillaume Morin, 2002/04/20

Prev by Date: [Savannah-hackers] [ 100419 ] Importing tracker requests from XML data
Next by Date: Re: [Savannah-hackers] temporary bug with CVS ?
Previous by thread: [Savannah-hackers] [ 100419 ] Importing tracker requests from XML data
Next by thread: Re: [Savannah-hackers] bug classified critical about mailx package
Index(es):
- Date
- Thread