-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Willi,
Am Fr den 30. Dez 2016 um 18:18 schrieb Willi Mann: > can you elaborate how this could be exploited? Well, log principally contains untrusted data that could be injected from untrusted source. That is no security hole itself. But when that data gets displayed with the wrong charset, that can trigger problems in window managers (for example). See xterm which can be controlled via ansii sequences. Even more, it could trigger stream conversion problems if the UTF-8 implementation is not really fully tested with broken streams. > What would be your suggested fix? Send the data with a char set that cover the full byte, not only a part of it like UTF-8 or convert it somehow to UTF-8 what would be impossible as you don't know the source char set. The fail-safe default before was ISO-8859-1. So I suggest to use it again. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Comment: Charset: ISO-8859-1 iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAlhmmyAACgkQpnwKsYAZ 9qzhKQv9Gecm9WzvdohmcSwFTX9mMpsSN34r1zcMbWgMEYw2PRIYtBBsPvf8gZ5q vb1qWmipWoYE4HGPsNftm5+VhdkIdvU5fyB2UIcSAtOgjNqY7pTpe3yC3o0DHFcq 7SFuBerH8peJM6HvuPXzsRQVxk0/YOBG+OvprKyi6fWYbDN3wC6xfv1gB4BAI0b7 2kBmBxgV7RhN1qgttbGOXmDCvxvlVydArmotmaWG7DUqfFle/T9Y9FOOFBvdEy+z JGdQSNX6TNryiVXAnAJJepa7GCLV0/1CuSV0327WV5vBJXAJCqcW4zbI2+MZp79A 2WCoOzy8JdeAxacK2XV2xynVzvqfIrw41E9QFMdoo/944zR6S3VqwZh4PF97FJW+ tDt+vAnYKglOzufjbFxKojjffba357TumQ3oH1+4JAAKZIKeeJXa2iVt8stD1eBN O34FmWY5qffn8oeP3AbB54LHJBoNmzpJErZqEZYv/1gZi3pSu0Ie4BrMu0IFQr3y cOLr8pkg =pzp3 -----END PGP SIGNATURE-----