Control: forcemerge 772706 778341

HI Santiago,

On Fri, Feb 13, 2015 at 08:04:17PM +0100, Santiago Vila wrote:
> On Fri, Feb 13, 2015 at 07:48:07PM +0100, Salvatore Bonaccorso wrote:
> > Source: procmail
> > Version: 3.22-19
> > Severity: important
> > Tags: security upstream
> > 
> > Hi
> > 
> > Jakub Wilk reported on oss-security that procmail has unsafe handling
> > of the TZ environment variable, see
> > 
> > http://openwall.com/lists/oss-security/2014/10/15/24
> > https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13
> > 
> > and
> > 
> > http://seclists.org/oss-sec/2015/q1/533
> > 
> > This issue has got CVE-2014-9681 assigned.
> 
> This is only dangerous if you let *others* to write your .procmailrc file,
> as I already explained here:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772706
> 
> But if you allow *others* to write your .procmailrc file, you should
> really have more important things to worry about other than procmail
> preserving the TZ environment variable.
> 
> So: Could we please close this report as a non-bug?

I see, I have missed #772706 somehow apparently, sorry about that. I
have merged both reports.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to