Your message dated Wed, 10 Dec 2014 15:03:40 +0100
with message-id <[email protected]>
and subject line Re: Bug#772706: procmail: should not preserve TZ
has caused the Debian Bug report #772706,
regarding procmail: should not preserve TZ
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772706: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772706
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: procmail
Version: 3.22-23
Tags: security
procmail preserves the TZ variable from user's environment, without any
sanitization. This is a bad idea on glibc systems, where you can set TZ
to an arbitrary file, which will then be read by tzset(3).
This can be abused for denial of service (by pointing TZ to a named pipe
or a tape device that wouldn't be otherwise readable); or it could allow
exploiting tzfile parsing bugs (such as #772705).
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
On Wed, Dec 10, 2014 at 12:33:39PM +0100, Jakub Wilk wrote:
> Package: procmail
> Version: 3.22-23
> Tags: security
>
> procmail preserves the TZ variable from user's environment, without any
> sanitization. This is a bad idea on glibc systems, where you can set TZ to
> an arbitrary file, which will then be read by tzset(3).
>
> This can be abused for denial of service (by pointing TZ to a named pipe or
> a tape device that wouldn't be otherwise readable); or it could allow
> exploiting tzfile parsing bugs (such as #772705).
In general, procmail allows the user to run arbitrary commands,
via .procmailrc, which of course includes reading an arbitrary file.
[ Please note that the bash shell also allows the user to run arbitrary
commands, and this is not considered a security bug in bash ].
If you don't want your users to run arbitrary commands, you should not
let them write .procmailrc files to begin with.
Moreover, there is not a single occurrence of TZ in procmail source code,
except for the lines where this variable is set to be preserved:
$ rgrep TZ *
config.h: * #define KEEPENV {"TZ","LANG",0}
config.h:#define KEEPENV {"TZ",0}
So, if this is a problem at all, it would be a problem in whatever
program is using the TZ variable, but not in procmail. As I see that
you have already reported this against libc6, I'm closing this report.
Thanks.
--- End Message ---
