Package: mutt Version: 1.5.6-20040907+3 Severity: important Tags: security upstream
At one point, attaching /etc/passwd with mutt would use Content-Disposition: attachment; filename="/etc/passwd" This has been fixed, I guess; now, only the last component of the filename is stored into the attachment. However, the real problem (which still applies, and is a potential security-related threat) is that mutt uses the full path for saving attachments with absolute paths. Its client-side security to simply not send mail with absolute-path attachments. Mutt should use the "basename" (s,.*/,,) as the default output filename. (Yes, its still a "threat" if someone mails you /etc/passwd and you read your mail as root with CWD=/etc/). BTW, /etc/passwd here is just a hypothetical example. No, I don't read mail as root. Justification: this gives an attacker the possibility to "hint" a user into overwriting an arbitrary file with arbitrary contents. I'm not making it an RC bug, because the filename, with path, is shown, and a careful user will never overwrite their data. But, its relevent to security, and "important" not to default to a potentially-mallious output path. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
