Re: Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Magnus, On Sun, Feb 24, 2019 at 08:28:00PM +0100, Magnus Holmgren wrote: > söndag 30 december 2018 kl. 09:38:57 CET skrev Salvatore Bonaccorso: > > There is an alternative approach wich was raised by Magnus in the > > respective bug: https://bugs.debian.org/914632#12 (and see followup > >

Re: Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap

söndag 30 december 2018 kl. 09:38:57 CET skrev Salvatore Bonaccorso: > There is an alternative approach wich was raised by Magnus in the > respective bug: https://bugs.debian.org/914632#12 (and see followup > from Moritz). So, is it OK to upload this (assuming there's no code out there that

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Salvatore, On Sun, Dec 30, 2018 at 09:38:57AM +0100, Salvatore Bonaccorso wrote: > > There is an alternative approach wich was raised by Magnus in the > respective bug: https://bugs.debian.org/914632#12 (and see followup > from Moritz). > I suppose I should have looked more carefully at the

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Unsubscribe me please On December 30, 2018 1:38:57 AM MST, Salvatore Bonaccorso wrote: >Hi Roberto, > >On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote: >> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote: >> > [note: I am not subscribed to debian-security;

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Roberto, On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote: > On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote: > > [note: I am not subscribed to debian-security; please keep me or > > debian-lts addressed on replies] > > > > If this seems like a sensible

RE: RFC: proposed fix for CVE-2018-19518 in uw-imap

Unsubscribe pls -Message d'origine- De : Roberto C. Sánchez Envoyé : samedi 29 décembre 2018 16:25 À : debian-lts@lists.debian.org; debian-secur...@lists.debian.org; Debian Security Team Cc : holmg...@debian.org Objet : Re: RFC: proposed fix for CVE-2018-19518 in uw-imap On Sat, Dec

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote: > [note: I am not subscribed to debian-security; please keep me or > debian-lts addressed on replies] > > If this seems like a sensible approach, I propose to apply the attached > patch to uw-imap 8:2007f~dfsg-5 (the current

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Roberto I have checked your patch and the described problem and I think it looks good. As I understand the reason why you count the number of tokens instead of checking for a space in the hostname is that is easier to do that way as you do not need to make an advanced parse mechanism. To my

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Ciao Roberto, On 12/28/18 5:20 AM, Roberto C. Sánchez wrote: > Hi Tomas, > > On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote: >>Hi Robert, >> >>Your patch seems not to be definitive against CVE-2018-19518. >>This because checking for spaces won't be enough if an attacker

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Tomas, On Fri, Dec 28, 2018 at 12:53:00PM +, Tomas Bortoli wrote: > > By shell escaping I meant to escape all the special shell characters > within the input. That'd probably need additional dependencies or a neat > sanitizer function. > > But I was wrong, it's unnecessary as there's no

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Tomas, On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote: >Hi Robert, > >Your patch seems not to be definitive against CVE-2018-19518. >This because checking for spaces won't be enough if an attacker uses some >"bash trick" to get a space... >In fact you can

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Roberto, On 12/24/18 10:40 PM, Roberto C. Sánchez wrote: > There are two command templates involved in this section of code: > rshcommand and sshcommand. The two for loops each operate on a > different command template. Ah ahn.. I missed that single byte difference, thanks. > Yes, the

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Robert, Your patch seems not to be definitive against CVE-2018-19518. This because checking for spaces won't be enough if an attacker uses some "bash trick" to get a space... In fact you can get a space by not typing it, with something like this: a=`date`;echo${a:3:1}asd Will print "asd".. it

Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Tomas, Thanks for the feedback. On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote: >Hi Robert, > >Your patch seems not to be definitive against CVE-2018-19518. >This because checking for spaces won't be enough if an attacker uses some >"bash trick" to get a

RFC: proposed fix for CVE-2018-19518 in uw-imap

[note: I am not subscribed to debian-security; please keep me or debian-lts addressed on replies] Hello all, I have been working on trying to reproduce CVE-2018-19518 in uw-imap. I had already prepared PHP updates for jessie and wheezy to address that aspect of the vulnerability, though neither