Re: [EXIM] Truncating MIME headers?

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Alan Thew
Data:  
Para: patl
CC: Peter Radcliffe, Exim Users Mailing List
Asunto: Re: [EXIM] Truncating MIME headers?
The pine team are being _very careful_, they belive pine 4 to be "OK" but
are not taking chances, mutt had a very major buffer overflow problem with
published exploit etc.

--
Alan Thew                                       alan.thew@???
Computing Services,University of Liverpool      Fax: +44 151 794-4442


On Thu, 13 Aug 1998 patl@??? wrote:

> > patl@??? probably said:
> > > Furthermore, the problem appears to only affect MUAs for various
> > > flavors of Windows. Apparently the faulty programs assume that
> > > the filenames specified will be legal FAT/VFAT/NTFS/... constructs
> > > with no single component exceeding the OS' name length restrictions.
> > > (E.g. 8.3 for Windows 3.x/FAT) Unix programs tend to be much more
> > > liberal in the filenames they expect. (I don't know about Macs,
> > > AmigaDOS or other OSes. I suspect that most of them are a small
> > > enough segment of the market that they aren't even targetted.)
> >
> > Not true - both pine and mutt were two examples of unix programs that were
> > vunerable.
>
> Hmm. All the discussions I'd seen only mentioned Windows clients.
>
> I can't say I'm really surprised though. C practically invites
> this sort of error; and few engineers have the discipline to really
> program defensively.
>
>
> In any case, it isn't the responsibility of the MTA to protect MUAs
> from message bodies that comply with RFC822 but happen to tickle
> MUA implementation bugs. Or even from messages that comply with
> RFC822 but not with any of the various MIME-related RFCs.
>
> That being said; perhaps we could publish the Exim-filter equivalent
> of the procmail/perl hack; along with any info known about which
> client versions are vulnerable and where to look for client fixes.
>
>
>
> -Pat
>
> --
> *** Exim information can be found at http://www.exim.org/ ***
>



--
*** Exim information can be found at http://www.exim.org/ ***