Hi Magnus,
On Sun, Feb 24, 2019 at 08:28:00PM +0100, Magnus Holmgren wrote:
> söndag 30 december 2018 kl. 09:38:57 CET skrev Salvatore Bonaccorso:
> > There is an alternative approach wich was raised by Magnus in the
> > respective bug: https://bugs.debian.org/914632#12 (and see followup
> >
söndag 30 december 2018 kl. 09:38:57 CET skrev Salvatore Bonaccorso:
> There is an alternative approach wich was raised by Magnus in the
> respective bug: https://bugs.debian.org/914632#12 (and see followup
> from Moritz).
So, is it OK to upload this (assuming there's no code out there that
Hi Salvatore,
On Sun, Dec 30, 2018 at 09:38:57AM +0100, Salvatore Bonaccorso wrote:
>
> There is an alternative approach wich was raised by Magnus in the
> respective bug: https://bugs.debian.org/914632#12 (and see followup
> from Moritz).
>
I suppose I should have looked more carefully at the
Unsubscribe me please
On December 30, 2018 1:38:57 AM MST, Salvatore Bonaccorso
wrote:
>Hi Roberto,
>
>On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:
>> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
>> > [note: I am not subscribed to debian-security;
Hi Roberto,
On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:
> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> > [note: I am not subscribed to debian-security; please keep me or
> > debian-lts addressed on replies]
> >
> > If this seems like a sensible
Unsubscribe
pls
-Message d'origine-
De : Roberto C. Sánchez
Envoyé : samedi 29 décembre 2018 16:25
À : debian-lts@lists.debian.org; debian-secur...@lists.debian.org; Debian
Security Team
Cc : holmg...@debian.org
Objet : Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
On Sat, Dec
On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> [note: I am not subscribed to debian-security; please keep me or
> debian-lts addressed on replies]
>
> If this seems like a sensible approach, I propose to apply the attached
> patch to uw-imap 8:2007f~dfsg-5 (the current
Hi Roberto
I have checked your patch and the described problem and I think it
looks good. As I understand the reason why you count the number of tokens
instead of checking for a space in the hostname is that is easier to do
that way as you do not need to make an advanced parse mechanism.
To my
Ciao Roberto,
On 12/28/18 5:20 AM, Roberto C. Sánchez wrote:
> Hi Tomas,
>
> On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote:
>>Hi Robert,
>>
>>Your patch seems not to be definitive against CVE-2018-19518.
>>This because checking for spaces won't be enough if an attacker
Hi Tomas,
On Fri, Dec 28, 2018 at 12:53:00PM +, Tomas Bortoli wrote:
>
> By shell escaping I meant to escape all the special shell characters
> within the input. That'd probably need additional dependencies or a neat
> sanitizer function.
>
> But I was wrong, it's unnecessary as there's no
Hi Tomas,
On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote:
>Hi Robert,
>
>Your patch seems not to be definitive against CVE-2018-19518.
>This because checking for spaces won't be enough if an attacker uses some
>"bash trick" to get a space...
>In fact you can
Hi Roberto,
On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
> There are two command templates involved in this section of code:
> rshcommand and sshcommand. The two for loops each operate on a
> different command template.
Ah ahn.. I missed that single byte difference, thanks.
> Yes, the
Hi Robert,
Your patch seems not to be definitive against CVE-2018-19518.
This because checking for spaces won't be enough if an attacker uses some "bash
trick" to get a space...
In fact you can get a space by not typing it, with something like this:
a=`date`;echo${a:3:1}asd
Will print "asd".. it
Hi Tomas,
Thanks for the feedback.
On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote:
>Hi Robert,
>
>Your patch seems not to be definitive against CVE-2018-19518.
>This because checking for spaces won't be enough if an attacker uses some
>"bash trick" to get a
[note: I am not subscribed to debian-security; please keep me or
debian-lts addressed on replies]
Hello all,
I have been working on trying to reproduce CVE-2018-19518 in uw-imap. I
had already prepared PHP updates for jessie and wheezy to address that
aspect of the vulnerability, though neither
15 matches
Mail list logo