On Fri, Feb 13, 2015 at 07:48:07PM +0100, Salvatore Bonaccorso wrote:
> Source: procmail
> Version: 3.22-19
> Severity: important
> Tags: security upstream
> 
> Hi
> 
> Jakub Wilk reported on oss-security that procmail has unsafe handling
> of the TZ environment variable, see
> 
> http://openwall.com/lists/oss-security/2014/10/15/24
> https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13
> 
> and
> 
> http://seclists.org/oss-sec/2015/q1/533
> 
> This issue has got CVE-2014-9681 assigned.

This is only dangerous if you let *others* to write your .procmailrc file,
as I already explained here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772706

But if you allow *others* to write your .procmailrc file, you should
really have more important things to worry about other than procmail
preserving the TZ environment variable.

So: Could we please close this report as a non-bug?

Thanks.


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to