[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [roessler@guug.de: Re: debian freeze / mutt]

> >> What do you think about the fix to the /etc/mailcap security bug in
> >> the last mutt release? The same bug has been reported on bugtraq
> >> about PINE. The author asked me to package it for frozen.
> > My understanding of that bug is that it involves having back-tick
> > expressions within the mailcap commands.  That needs to be
> > addressed by whatever packages installed those rules.
> > Since only root can install into the global rule list, I don't see
> > this are a real problem.  Please let me know if I don't understand
> > something about this.
> Debian should be able to guarantee all the mailcap entries which are
> generated by packages on a Debian system are safe.  Additionally,
> users may add their own bad mailcap entries, fetched from the net.
> While I agree with Brian that this problem should really be fixed in
> the mailcap file, I'd suggest MUAs at least implement some security
> measures.

In general, it is not possible for a computer program to guarantee
the safety of things.  The number of possibilities is endless in
this case and many others.

Users cannot add to the global mailcap file.  Only root can and root
always has to pay attention to security issues.  Users can add to their
personal mailcap file, but that file is only used by them (unless
explicitly used by another) and is things in it are run under their

                                  ( bcwhite@pobox.com )

   If you love something, set it free.  If it comes back, it was, and always
     will be yours.  If it never returns, it was never yours to begin with.

Reply to: