On Sat, Feb 14, 2015 at 07:47:14AM +0100, Salvatore Bonaccorso wrote: > I see, I have missed #772706 somehow apparently, sorry about that. I > have merged both reports.
But this is still not a bug! procmail may be seen as a shell or as a special purpose programming language. The bash shell allows the user to read arbitrary files, but nobody would say that it is "insecure" because of that. What is insecure is giving untrusted users shell access. The same happens for procmail. You would never give an untrusted user the ability to write an arbitrary .procmailrc file because that would be nearly the same as giving shell access. Can you explain this to whoever assigned a CVE number for this? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org