Bug#849531: Possible security problem, new logwatch sends mails with charset UTF-8

Klaus Ethgen Wed, 28 Dec 2016 01:12:46 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: logwatch
Version: 7.4.3+git20161207-1
Severity: critical


Current logwatch did change from sending mails with charset iso-8859-1
to UTF-8. This openes up a potential security hole as UTF-8 is not able
to display all 8bit data.

This is especially true as the output from logwatch is from untrusted
source where there could easily put some malicious content in. Logwatch
does nothing to cleanup the mail content or convert it from the native
charset to UTF-8.

Note that this bug went in recently as 7.4.0 did not have this bug
(neither does 7.4.1). I do not find any upstream changelog in the
package and when I download it from upstream directly, I cannot find any
note of this breaking change.

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.10 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages logwatch depends on:
ii  exim4-daemon-light [mail-transport-agent]  4.88~RC6-2
pn  perl:any                                   <none>

Versions of packages logwatch recommends:
ii  libdate-manip-perl   6.56-1
ii  libsys-cpu-perl      0.61-2+b1
pn  libsys-meminfo-perl  <none>

Versions of packages logwatch suggests:
ii  fortune-mod  1:1.99.1-7

- -- no debconf information

- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <kl...@ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAlhjgU0ACgkQpnwKsYAZ
9qzmVgwApEE7ee5wf0J7W3ibcGSGiPE0WHRDdrYhuE4Bew7uIlefvj1vil2RgbzN
nm4SSn0CyCfSnvbWZA1SROaGWVApJLP7TOJRn3KioJm6N29SqXwJbGq6XD1HRNea
woBsTGugHFoBOjVbpMe72dO2batal1xl2e8wQKKHuqSkkeGwAgl0oA7OgKgZ51gi
9A9fZaNfsWekMJzlGd8m3bmPQp32qRywxtkAQ6t+DEwABgdvPv05HB42CXBpbzrh
QrXm6a64v/GPSs2uq4+Fjpi9/uXSExUTSqj/M2pJ14u10rD3n9Yghmkwc2290CIJ
xHYQgdCm2EMpPRyb9pcJknIzE43oQkdNCTcqMyw62FO6hKKX3j0/b9md9AfH/tZn
xbEkjd8HSyCY158QTPNHEro7klxoznjCLTj1dLaZH3HWTYpovpoBbJ9ecABaj4YJ
tphX/wy46GL35PLJUnDcGgEgNavsbPpt/jiBYy2Q/FCPEg5DTJAXIh6RDNrCHsoY
oH/vHcPf
=Zlgb
-----END PGP SIGNATURE-----

Bug#849531: Possible security problem, new logwatch sends mails with charset UTF-8

Reply via email to