headers
Lars Wirzenius | 13 Dec 2006 14:48
Picon
Picon

EoC 1.2.4 -- security problem fixed, please upgrade immediately

My face is covered in egg.

Antti-Juhani Kaijanaho found a security problem in EoC, both the 1.0.3
and the 1.2.3 versions. The problem is that EoC did not quote shell
arguments properly. I have fixed the problem in 1.2.4, which contains no
other changes relative to 1.2.3. This problem has the code
CVE-2006-5875.

You can find the 1.2.4 version from the EoC website:
http://liw.iki.fi/liw/eoc/ and I have also uploaded it to Debian's
unstable.

Debian's stable contains 1.0.3, and I have prepared a patch for that. It
is actually essentially the same patch as was used to create 1.2.4. The
Debian security team has uploaded a fixed version of the 1.0.3 package
to security.debian.org. I've attached it to this message in case anyone
not running Debian wants to stay with 1.0.3, but I won't be releasing a
1.0.4 unless someone really needs it (if you do, please tell me
immediately).

For risk assessment: I was unable to come up with an exploit. Doing so
would require getting a certain kind of construct through the SMTP level
to EoC, and I wasn't able to make that happen, but I would not rely on
it being impossible. Therefore, please upgrade immediately.

I apologize for this problem. It was amateurish to let the problematic
code into a released version of the program, I knew better than do that.
Attachment (eoc103.patch): text/x-patch, 2258 bytes
(Continue reading)

Permalink | Reply | 2 comments |
headers
William Dode | 13 Dec 2006 15:48
Favicon

Re: EoC 1.2.4 -- security problem fixed, please upgrade immediately

On 13-12-2006, Lars Wirzenius wrote:
>
> --=-tmCaUI/7rrqXrw6LLoFD
> Content-Type: text/plain
> Content-Transfer-Encoding: 7bit
>
> My face is covered in egg.
>
> Antti-Juhani Kaijanaho found a security problem in EoC, both the 1.0.3
> and the 1.2.3 versions. The problem is that EoC did not quote shell
> arguments properly. I have fixed the problem in 1.2.4, which contains no
> other changes relative to 1.2.3. This problem has the code
> CVE-2006-5875.
>
> You can find the 1.2.4 version from the EoC website:
> http://liw.iki.fi/liw/eoc/ and I have also uploaded it to Debian's
> unstable.

You did'nt upgrade your bzr repository isnt'it ?
http://liw.iki.fi/liw/bzr/eoc1.2/

-- 
William Dodé  -  http://flibuste.net
Développeur informatique indépendant

--

-- 
To unsubscribe, send mail to eoc-unsubscribe@...

See the Enemies of Carlotta home page at <http://liw.iki.fi/liw/eoc/>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Lars Wirzenius | 13 Dec 2006 18:08
Picon
Picon

Re: EoC 1.2.4 -- security problem fixed, please upgrade immediately

On ke, 2006-12-13 at 14:48 +0000, William Dode wrote:
> You did'nt upgrade your bzr repository isnt'it ?
> http://liw.iki.fi/liw/bzr/eoc1.2/

You're right, I forgot that, sorry. Should be up to date now. I've also
taken steps to make this somewhat less likely to happen in the future.

-- 
I think, therefore I am alone in the universe. -- Over the Hedge

--

-- 
To unsubscribe, send mail to eoc-unsubscribe@...

See the Enemies of Carlotta home page at <http://liw.iki.fi/liw/eoc/>
Permalink | Reply | 0 comments |
headers
William Dode | 18 Dec 2006 16:28
Favicon

sendmail on big list

Hi,

I made somes tests on a big mailing-list (more than 5000 mails),
it doesn't work if i use sendmail, without any message in the log file.
It works if i use --smtp-server=localhost.

Is it normal ?

I use exim4. For my local test i did some customized transport to
deliver the mails on the filesystem (it's very fast). I wonder if i will
have somes problems when i will deliver the mail outside. Shall i do
something on the exim config ?

thanks for the advices

-- 
William Dodé  -  http://flibuste.net
Développeur informatique indépendant

--

-- 
To unsubscribe, send mail to eoc-unsubscribe@...

See the Enemies of Carlotta home page at <http://liw.iki.fi/liw/eoc/>
Permalink | Reply | 1 comment |
headers
Lars Wirzenius | 18 Dec 2006 21:48
Picon
Picon

Re: sendmail on big list

On ma, 2006-12-18 at 15:28 +0000, William Dode wrote:
> I made somes tests on a big mailing-list (more than 5000 mails),
> it doesn't work if i use sendmail, without any message in the log file.
> It works if i use --smtp-server=localhost.
> 
> Is it normal ?

Looks like a bug somewhere, to me. I've no idea where, though. I have
done tests in the past with a million mails and then it did work (see
the BENCHMARK file).

-- 
Happiness is going NIH on your own stuff.

--

-- 
To unsubscribe, send mail to eoc-unsubscribe@...

See the Enemies of Carlotta home page at <http://liw.iki.fi/liw/eoc/>
Permalink | Reply | 0 comments |

Gmane