> -----Original Message-----
> From: Willi Mann [mailto:wi...@debian.org] 
> Sent: Friday, December 30, 2016 12:18
> To: logwatch-de...@lists.sourceforge.net
> Cc: 849...@bugs.debian.org; 849531-forwar...@bugs.debian.org; 
> Klaus Ethgen
> Subject: Re: [Logwatch-devel] Bug#849531: Possible security 
> problem, new logwatch sends mails with charset UTF-8
> 
> Hi Klaus,
> 
> can you elaborate how this could be exploited? 

It does not make the list at http://unicode.org/reports/tr36/ , but bad utf-8 
**may** cause email programs to behave badly. A google
for unicode crash brings up the iPhone message processing issues...

> What would be your suggested fix?

Not sure it is a high risk issue, but perl should use 

binmode(STDOUT, ":utf8");

to encode the perl strings as utf-8.

> 
> I'm including the upstream mailing list in the conversation.
> 
> thanks you
> Willi
> 
> Am 2016-12-28 um 10:09 schrieb Klaus Ethgen:
> > Package: logwatch
> > Version: 7.4.3+git20161207-1
> > Severity: critical
> > 
> > Current logwatch did change from sending mails with charset iso-8859-1
> > to UTF-8. This openes up a potential security hole as UTF-8 is not able

To give context...

commit f9db5949c58321175bda66310156f43ae607109f
Author: bjorn <bjo...@users.sourceforge.net>
Date:   Sat Oct 15 17:38:40 2016 -0700

    Changed encoding to UTF-8, as suggested by Goran Uddeborg.

diff --git a/scripts/logwatch.pl b/scripts/logwatch.pl
index 0f863dc..0167755 100755
--- a/scripts/logwatch.pl
+++ b/scripts/logwatch.pl
@@ -1162,9 +1162,9 @@ sub initprint {
          }
          #Config{output} html
          if ( $Config{'format'} eq "html" ) {
-            $out_mime .= "Content-Type: text/html; charset=\"iso-8859-1\"\n\n";
+            $out_mime .= "Content-Type: text/html; charset=\"UTF-8\"\n\n";
          } else {
-            $out_mime .= "Content-Type: text/plain; 
charset=\"iso-8859-1\"\n\n";
+            $out_mime .= "Content-Type: text/plain; charset=\"UTF-8\"\n\n";
          }

          if ($Config{'hostformat'} eq "split") { #8.0 check hostlimit also? or 
ne none?

> > to display all 8bit data.
> > 
> > This is especially true as the output from logwatch is from 
> untrusted
> > source where there could easily put some malicious content 
> in. Logwatch
> > does nothing to cleanup the mail content or convert it from 
> the native
> > charset to UTF-8.
> > 
> > Note that this bug went in recently as 7.4.0 did not have this bug
> > (neither does 7.4.1). I do not find any upstream changelog in the
> > package and when I download it from upstream directly, I 
> cannot find any
> > note of this breaking change.
> > 
> > -- System Information:
> > Debian Release: stretch/sid
> >   APT prefers unstable
> >   APT policy: (500, 'unstable'), (500, 'testing'), (1, 
> 'experimental')
> > Architecture: amd64 (x86_64)
> > Foreign Architectures: i386
> > 
> > Kernel: Linux 4.7.10 (SMP w/8 CPU cores)
> > Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
> > Shell: /bin/sh linked to /bin/dash
> > Init: sysvinit (via /sbin/init)
> > 
> > Versions of packages logwatch depends on:
> > ii  exim4-daemon-light [mail-transport-agent]  4.88~RC6-2
> > pn  perl:any                                   <none>
> > 
> > Versions of packages logwatch recommends:
> > ii  libdate-manip-perl   6.56-1
> > ii  libsys-cpu-perl      0.61-2+b1
> > pn  libsys-meminfo-perl  <none>
> > 
> > Versions of packages logwatch suggests:
> > ii  fortune-mod  1:1.99.1-7
> > 
> > -- no debconf information
> > 
> > 
> 
> 
> --------------------------------------------------------------
> ----------------
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Logwatch-devel mailing list
> logwatch-de...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/logwatch-devel
> 

Reply via email to