In the last episode (Mar 09), Don Armstrong said: > popen shouldn't be used with user data; there is arbitrary remote code > execution when using -x. > > You can temporarily disable -x; see > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228 for more > details.
I've got a preliminary patch at http://savannah.nongnu.org/bugs/index.php?29136 that replaces popen() with a popenv() function that takes an execv-style argument array; it's untested at the moment since I don't use -x myself. -- Dan Nelson [email protected] _______________________________________________ Spamass-milt-list mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/spamass-milt-list
