Hi Klaus, can you elaborate how this could be exploited? What would be your suggested fix?
I'm including the upstream mailing list in the conversation. thanks you Willi Am 2016-12-28 um 10:09 schrieb Klaus Ethgen: > Package: logwatch > Version: 7.4.3+git20161207-1 > Severity: critical > > Current logwatch did change from sending mails with charset iso-8859-1 > to UTF-8. This openes up a potential security hole as UTF-8 is not able > to display all 8bit data. > > This is especially true as the output from logwatch is from untrusted > source where there could easily put some malicious content in. Logwatch > does nothing to cleanup the mail content or convert it from the native > charset to UTF-8. > > Note that this bug went in recently as 7.4.0 did not have this bug > (neither does 7.4.1). I do not find any upstream changelog in the > package and when I download it from upstream directly, I cannot find any > note of this breaking change. > > -- System Information: > Debian Release: stretch/sid > APT prefers unstable > APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.7.10 (SMP w/8 CPU cores) > Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) > Shell: /bin/sh linked to /bin/dash > Init: sysvinit (via /sbin/init) > > Versions of packages logwatch depends on: > ii exim4-daemon-light [mail-transport-agent] 4.88~RC6-2 > pn perl:any <none> > > Versions of packages logwatch recommends: > ii libdate-manip-perl 6.56-1 > ii libsys-cpu-perl 0.61-2+b1 > pn libsys-meminfo-perl <none> > > Versions of packages logwatch suggests: > ii fortune-mod 1:1.99.1-7 > > -- no debconf information > >
