> -----Original Message----- > From: Willi Mann > Sent: Friday, December 30, 2016 16:21 > To: Klaus Ethgen; 849...@bugs.debian.org > Cc: logwatch-de...@lists.sourceforge.net > Subject: Re: [Logwatch-devel] Bug#849531: Possible security > problem, new logwatch sends mails with charset UTF-8 > > Hi Klaus, > > Am 2016-12-30 um 18:36 schrieb Klaus Ethgen: > > Hi Willi, > > > > Am Fr den 30. Dez 2016 um 18:18 schrieb Willi Mann: > >> can you elaborate how this could be exploited? > > > > Well, log principally contains untrusted data that could be injected > > from untrusted source. That is no security hole itself. > > > > But when that data gets displayed with the wrong charset, that can > > trigger problems in window managers (for example). See > xterm which can > > be controlled via ansii sequences. Even more, it could > trigger stream > > conversion problems if the UTF-8 implementation is not really fully > > tested with broken streams.
You would have the same issue with cat /var/log/xxxxx <snip/> > > So far, I cannot see that the change you mentioned would be > problematic. Adding the binmode(OUTFILE, ":utf8"); fixes your primary report. > What I do see is that it might be wise to sanitize the output of > logwatch. A possible way to go might be to remove any byte > with value < > 0x20 - unless it is a newline or tab. But that is independent of the > ISO-8859-15 to utf-8 change. Please open a new bug for this enhancement, as it a different issue. -Jason
