The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Metamail problem (bug in tcsh)

Alan> This appears to be a tcsh bug, but it shows up with metamail and
Alan> can be abused. Olaf's message follows below. I've also passed it
Alan> on to CERT
[...]
Olaf> Here's the info on metamail I promised to send you. The hole may be
Olaf> exploitable if you let metamail run showext for messages of type
Olaf> message/external-body. At least tcsh, and possily a few other csh's,
Olaf> do seem to do weird things when expanding command line arguments.
Olaf> If you give a script an argument of "foo FTP=/tmp/evilcmd", and it
Olaf> does
Olaf> 	  set var=$1
Olaf> this will assign foo to $var, and /tmp/evilcmd to $FTP. Unfortunately,
Olaf> metamail invokes showext with the mime attributes on the command line,

This is a feature of csh & relatives, no bug. It's documented that
'set' can set more than one variable at one with the syntax

  set var1=value1 var2=value2 var3=value3 ...

The bug is obviously in in the 'showext' script, which doesn't quote
$1. (A common error in shell programming...)

Roman