Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

To: Tomas Bortoli <tomasbortoli@hotmail.it>
Cc: "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 28 Dec 2018 09:27:31 -0500
Message-id: <[🔎] 20181228142731.q5362cfksd64h5nu@santiago.connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, Tomas Bortoli <tomasbortoli@hotmail.it>, "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>, Debian Security Team <team@security.debian.org>
In-reply-to: <[🔎] HE1PR0801MB1980C46A889A12FA53D2A927B6B70@HE1PR0801MB1980.eurprd08.prod.outlook.com>
References: <[🔎] 20181223032718.2zxlwl6fybebsdgh@santiago.connexer.com> <[🔎] HE1PR0801MB1980A00D267E3A7018AF02E5B6BB0@HE1PR0801MB1980.eurprd08.prod.outlook.com> <[🔎] 20181228042015.ubbdaxblbc4zwuyn@santiago.connexer.com> <[🔎] HE1PR0801MB1980C46A889A12FA53D2A927B6B70@HE1PR0801MB1980.eurprd08.prod.outlook.com>

Hi Tomas,

On Fri, Dec 28, 2018 at 12:53:00PM +0000, Tomas Bortoli wrote:
> 
> By shell escaping I meant to escape all the special shell characters
> within the input. That'd probably need additional dependencies or a neat
> sanitizer function.
> 
> But I was wrong, it's unnecessary as there's no shell interpreter there
> but it's just using `execv` to get rsh/ssh running.
> 
> I agree that preventing the injection of spaces will prevent the
> injection of additional parameters and therefore the execution of
> unexpected commands.
> 
Thanks for the feedback and confirmation.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

References:
- RFC: proposed fix for CVE-2018-19518 in uw-imap
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
  - From: Tomas Bortoli <tomasbortoli@hotmail.it>
- Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
  - From: Tomas Bortoli <tomasbortoli@hotmail.it>

Prev by Date: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Next by Date: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Previous by thread: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Next by thread: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Index(es):
- Date
- Thread