savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers] bug classified critical about mailx package

From: Loic Dachary
Subject: Re: [Savannah-hackers] bug classified critical about mailx package
Date: Sun, 21 Apr 2002 00:27:58 +0200 
        Upgraded mailx on subversions, although we're not running OpenBSD ;-)

mathieu writes:
 > http://bugs.debian.org/cgi-bin/bugreport.cgi?ar\&bug=143152
 > 
 > 
 > Package: mailx
 > Severity: critical
 > Tags: security patch upstream
 > 
 >          From http://www.deadly.org/article.php3?sid=20020413161803
 > 
 > "The mail(1) program can be made to execute arbitrary code in non
 > interactive mode. this can be exploited using cron and the system
 > startup scripts (by any local user with no privs) a patch is and
 > advisory is available on the advisory page."
 > 
 >          /usr/share/doc/mailx/copyright says "It is now based on
 >          OpenBSD in directory src/usr.bin/mail ...", so we're likely to
 >          be vulnerable.
 > 
 >      The deadly.org page contains an exploit, and OpenBSD has
 >          a patch ready.
 > 
 > 
 > ====> maybe the subversion.gnu.org should be updated.

-- 
Loic   Dachary         http://www.dachary.org/  address@hidden
12 bd  Magenta         http://www.senga.org/      address@hidden
75010    Paris         T: 33 1 42 45 07 97          address@hidden
        GPG Public Key: http://www.dachary.org/loic/gpg.txt
reply via email to
[Prev in Thread] Current Thread [Next in Thread]