> -----Original Message----- > From: Willi Mann [mailto:wi...@debian.org] > Sent: Friday, December 30, 2016 12:18 > To: logwatch-de...@lists.sourceforge.net > Cc: 849...@bugs.debian.org; 849531-forwar...@bugs.debian.org; > Klaus Ethgen > Subject: Re: [Logwatch-devel] Bug#849531: Possible security > problem, new logwatch sends mails with charset UTF-8 > > Hi Klaus, > > can you elaborate how this could be exploited?
It does not make the list at http://unicode.org/reports/tr36/ , but bad utf-8 **may** cause email programs to behave badly. A google for unicode crash brings up the iPhone message processing issues... > What would be your suggested fix? Not sure it is a high risk issue, but perl should use binmode(STDOUT, ":utf8"); to encode the perl strings as utf-8. > > I'm including the upstream mailing list in the conversation. > > thanks you > Willi > > Am 2016-12-28 um 10:09 schrieb Klaus Ethgen: > > Package: logwatch > > Version: 7.4.3+git20161207-1 > > Severity: critical > > > > Current logwatch did change from sending mails with charset iso-8859-1 > > to UTF-8. This openes up a potential security hole as UTF-8 is not able To give context... commit f9db5949c58321175bda66310156f43ae607109f Author: bjorn <bjo...@users.sourceforge.net> Date: Sat Oct 15 17:38:40 2016 -0700 Changed encoding to UTF-8, as suggested by Goran Uddeborg. diff --git a/scripts/logwatch.pl b/scripts/logwatch.pl index 0f863dc..0167755 100755 --- a/scripts/logwatch.pl +++ b/scripts/logwatch.pl @@ -1162,9 +1162,9 @@ sub initprint { } #Config{output} html if ( $Config{'format'} eq "html" ) { - $out_mime .= "Content-Type: text/html; charset=\"iso-8859-1\"\n\n"; + $out_mime .= "Content-Type: text/html; charset=\"UTF-8\"\n\n"; } else { - $out_mime .= "Content-Type: text/plain; charset=\"iso-8859-1\"\n\n"; + $out_mime .= "Content-Type: text/plain; charset=\"UTF-8\"\n\n"; } if ($Config{'hostformat'} eq "split") { #8.0 check hostlimit also? or ne none? > > to display all 8bit data. > > > > This is especially true as the output from logwatch is from > untrusted > > source where there could easily put some malicious content > in. Logwatch > > does nothing to cleanup the mail content or convert it from > the native > > charset to UTF-8. > > > > Note that this bug went in recently as 7.4.0 did not have this bug > > (neither does 7.4.1). I do not find any upstream changelog in the > > package and when I download it from upstream directly, I > cannot find any > > note of this breaking change. > > > > -- System Information: > > Debian Release: stretch/sid > > APT prefers unstable > > APT policy: (500, 'unstable'), (500, 'testing'), (1, > 'experimental') > > Architecture: amd64 (x86_64) > > Foreign Architectures: i386 > > > > Kernel: Linux 4.7.10 (SMP w/8 CPU cores) > > Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) > > Shell: /bin/sh linked to /bin/dash > > Init: sysvinit (via /sbin/init) > > > > Versions of packages logwatch depends on: > > ii exim4-daemon-light [mail-transport-agent] 4.88~RC6-2 > > pn perl:any <none> > > > > Versions of packages logwatch recommends: > > ii libdate-manip-perl 6.56-1 > > ii libsys-cpu-perl 0.61-2+b1 > > pn libsys-meminfo-perl <none> > > > > Versions of packages logwatch suggests: > > ii fortune-mod 1:1.99.1-7 > > > > -- no debconf information > > > > > > > -------------------------------------------------------------- > ---------------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Logwatch-devel mailing list > logwatch-de...@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/logwatch-devel >