On Fri, Feb 13, 2015 at 07:48:07PM +0100, Salvatore Bonaccorso wrote: > Source: procmail > Version: 3.22-19 > Severity: important > Tags: security upstream > > Hi > > Jakub Wilk reported on oss-security that procmail has unsafe handling > of the TZ environment variable, see > > http://openwall.com/lists/oss-security/2014/10/15/24 > https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13 > > and > > http://seclists.org/oss-sec/2015/q1/533 > > This issue has got CVE-2014-9681 assigned.
This is only dangerous if you let *others* to write your .procmailrc file, as I already explained here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772706 But if you allow *others* to write your .procmailrc file, you should really have more important things to worry about other than procmail preserving the TZ environment variable. So: Could we please close this report as a non-bug? Thanks. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

