The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Metamail problem (VU#8510)

-----BEGIN PGP SIGNED MESSAGE-----

Alan Cox <alan@cymru.net> writes:
>This appears to be a tcsh bug, but it shows up with metamail and can
>be abused. Olaf's message follows below...


Folks,

Many thanks, Olaf, for putting together a patch for this problem!
We've been looking at the metamail scripts and the patch a bit more closely
and have found a couple of other fixes that we believe need to be made.

Most importantly, the "switch" statement added by Olaf to showexternal to look
for spaces and tabs looks quite good.  In fact, doesn't it need to be at the top
of any script that might be used to process mail?  (e.g. showpicture,
showpartial, etc.) The problem is that it isn't enough to quote the
"set x = $1" lines.  We can break "if" statements such as "if (... $4 == ...)"
because it turns out those statements are also reparsed for spaces after
variable substitution.  (Set $4 to something including '{ /trojanprogram }',
for example.) It would be fine to quote all shell variables (see below)
but the switch statement is a good idea that appears to work well.

We can't see much use for arguments to any of these scripts to contain spaces.
They are just likely to cause problems later, so perhaps the switch would be
good to put in all scripts anyway for added protection.

Second, the switch statement catches this but for safety we'd recommend
that the 'get $name $NEWNAME' input to the FTP command have "$name" be
in double quotes also.  Otherwise, if spaces aren't generally stripped
by the "switch" in the patch, one can arrange for the file to be created
anywhere since ftp(1)'s "get" seems to silently ignore extra arguments.

Third, although we couldn't actually break the switch statement, we felt
uncomfortably close several times.  We would be inclined to put double quotes
around all shell variables (except perhaps $#... and $?...) that are set to
values which depended at any point on a command line argument.  Olaf's patch
already adds quotes to the "set" commands in showexternal even after the
"switch" and for the same reasons quotes should at least be added to all
variables in "if" statements.  Probably best to add them everywhere to be safe.

If someone knows of a version of these files with these mods that we can point
to in an advisory for general use (not just Linux users), we would very much
like to be able to do that.  Please let us know if you do.  We'd like to get
an advisory out about this shortly.

					-- Jim Ellis
					jte@cert.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM2j05nVP+x0t4w7BAQFwqAP9EjszFz23oVPzb+vkWnZ4ILCp/tcdUC9X
ZtHSKYP2pZ52iKiP7tV0jzXc2EFR12BrtF0FFHbj+cg22QaWLrsztMF/XUDhZy7D
iWwhJNJC/ZuCfWuMTnPbI2voNwaMaICd2YliCWuQef/ZJ2sPNeUyrueBeYwYSdTO
M9g7FQ0Bb9c=
=SWuU
-----END PGP SIGNATURE-----


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .