Bug#129104: cgiemail: buffer overflow and script reading vulnerabilities
On Mon, Apr 08, 2002 at 10:36:31AM -0400, Bruce R. Lewis wrote:
> A recent message on debian-devel-announce shows cgiemail having been
> removed from the upcoming release.
> Has the buffer overflow fix for cgicso been checked in? If not, one
> option is to remove cgicso entirely, as it is really not useful except
> at MIT, and its existence probably confuses some people.
> As for the script-reading vulnerability, why not just have cgiemail and
> cgiecho not echo back the message sent at all; just say "a message was
> sent" or somesuch. Seems like a quick fix is needed if cgiemail is to
> be included in woody.
Better fixes are available, though. I'd forgotten that the last message
in this bug left it up to me to test them ... I'll have a look today or
tomorrow and see if we can get this sorted.
Colin Watson [email@example.com]
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com