Control: forcemerge 772706 778341 HI Santiago,
On Fri, Feb 13, 2015 at 08:04:17PM +0100, Santiago Vila wrote: > On Fri, Feb 13, 2015 at 07:48:07PM +0100, Salvatore Bonaccorso wrote: > > Source: procmail > > Version: 3.22-19 > > Severity: important > > Tags: security upstream > > > > Hi > > > > Jakub Wilk reported on oss-security that procmail has unsafe handling > > of the TZ environment variable, see > > > > http://openwall.com/lists/oss-security/2014/10/15/24 > > https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13 > > > > and > > > > http://seclists.org/oss-sec/2015/q1/533 > > > > This issue has got CVE-2014-9681 assigned. > > This is only dangerous if you let *others* to write your .procmailrc file, > as I already explained here: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772706 > > But if you allow *others* to write your .procmailrc file, you should > really have more important things to worry about other than procmail > preserving the TZ environment variable. > > So: Could we please close this report as a non-bug? I see, I have missed #772706 somehow apparently, sorry about that. I have merged both reports. Regards, Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

