Bug#129104: cgiemail: buffer overflow and script reading vulnerabilities

["Bruce R. Lewis" <brlewis@alum.mit.edu>]

A recent message on debian-devel-announce shows cgiemail having been
removed from the upcoming release.

Has the buffer overflow fix for cgicso been checked in?  If not, one
option is to remove cgicso entirely, as it is really not useful except
at MIT, and its existence probably confuses some people.

As for the script-reading vulnerability, why not just have cgiemail and
cgiecho not echo back the message sent at all; just say "a message was
sent" or somesuch.  Seems like a quick fix is needed if cgiemail is to
be included in woody.

There's an approach you could take that would be backward compatible:
Have cgiemail and cgicso only echo back the message if its first line is
clearly a valid mail header.  However, maybe a quick fix would be better
to get it into the release.

-- 
<brlewis@[(if (brl-related? message)    ; Bruce R. Lewis
              "users.sourceforge.net"   ; http://brl.sourceforge.net/
              "alum.mit.edu")]>


-- 
To UNSUBSCRIBE, email to debian-qa-packages-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org