[exim-dev] [Bug 2118] sendmail -be and ${run} macro security…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 2118] sendmail -be and ${run} macro security problem
https://bugs.exim.org/show_bug.cgi?id=2118

Phil Pennock <pdp@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pdp@???
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED


--- Comment #8 from Phil Pennock <pdp@???> ---
A stance and a code change by Exim.

(1) This is not a vulnerability in Exim. Exim trusts the local user to be
allowed access to their own account and is not appropriate for r* restricted
environments.
(2) Using `--` to end option processing has been part of POSIX for over two
decades now; code passing untrusted data to other programs should be using it,
no excuses.
(3) Commit f33875c3a adds the new option `commandline_checks_require_admin`
which should probably be set in hosting environments.
(4) This change is probably pretty clean to backport.
(5) I will not be setting this option true by default.

If this option commandline_checks_require_admin protects you, then you've
already messed up. But Exim can provide the suspenders for when your belt
fails. The suspenders might snap, they're new and unproven.

This is change PP/04 for the future 4.90 release.

--
You are receiving this mail because:
You are on the CC list for the bug.