On Tue, 2004-03-02 at 14:10, Tom Kistner wrote:
> OK, after a beta phase of about 4 weeks with no reports of major
> blowups, here is exiscan-acl revision 16:
>
> http://duncanthrax.net/exiscan-acl/
> - Fix: only feed files called "winmail.dat" to the TNEF
> decoder. It seems it likes to crash on some arbitrary
> files (Which is a bug in itself, but I don't feel like
> debugging the mess which is tnef.c and tnef.h. And
> I don't feel like writing my own TNEF support either.).
So that means that I'm vulnerable to server crashes by evil
folks sending me carefully crafted attachments called
'winmail.dat'?
And perhaps, if it's a buffer overrun, I'd even be vulnerable
to remote exploitation?
Wow, it's good you posted this here, so I can disable the stuff
in my exim.conf :-)
Greetings,
Torsten
P.S.: this is not in any way meant to criticise your excellent
work. I'm just a bit nervous about security in general.
