Package: ecartis Version: 1.0.0+cvs.20030911-10 Severity: grave Tags: security Justification: user security hole
Matthias Kilian reported this problem to the ecartis-dev mailing list. It probably affects ecartis in oldstable, stable, testing, and unstable, but only when using the non-default option pantomime-dir. It's a simple conceptional problem with pantomime: when pantomime-dir is set, ecartis strips attachments not only from mails to <$list>@<$hostname>, but also, from mails to <$list>-request@<$hostname>, and may be from mails to other administrative addresses -- I did only check for [EMAIL PROTECTED] This means that anyone could abuse ecartis lists with pantomime for distributing arbitrary (illegal) content without beeing subscribed to any mailinglist (even if all lists are closed-post) and without the list-owner and anyone else noticing. A solution would be to pantomime *only* on the mailing lists, not on administrative addresses. Upstream is working on a solution. It doesn't affect the current CVS version only because pantomime is completely broken. Workarounds would be to disable pantomime or have it decode files into an inaccesable directory and move only approved files out. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.27-2-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages ecartis depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii logrotate 3.7-5 Log rotation utility ii sendmail-bin [mail-transpor 8.13.4-3 powerful, efficient, and scalable -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]