Bug#849531: marked as forwarded (Possible security problem, new logwatch sends mails with charset UTF-8)

[Debian Bug Tracking System]

Your message dated Fri, 30 Dec 2016 18:18:00 +0100
with message-id <bc52c706-dee4-8227-1adb-929778a59...@debian.org>
has caused the   report #849531,
regarding Possible security problem, new logwatch sends mails with charset UTF-8
to be marked as having been forwarded to the upstream software
author(s) logwatch-de...@lists.sourceforge.net

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
849531: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Hi Klaus,

can you elaborate how this could be exploited? What would be your
suggested fix?

I'm including the upstream mailing list in the conversation.

thanks you
Willi

Am 2016-12-28 um 10:09 schrieb Klaus Ethgen:
> Package: logwatch
> Version: 7.4.3+git20161207-1
> Severity: critical
> 
> Current logwatch did change from sending mails with charset iso-8859-1
> to UTF-8. This openes up a potential security hole as UTF-8 is not able
> to display all 8bit data.
> 
> This is especially true as the output from logwatch is from untrusted
> source where there could easily put some malicious content in. Logwatch
> does nothing to cleanup the mail content or convert it from the native
> charset to UTF-8.
> 
> Note that this bug went in recently as 7.4.0 did not have this bug
> (neither does 7.4.1). I do not find any upstream changelog in the
> package and when I download it from upstream directly, I cannot find any
> note of this breaking change.
> 
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.7.10 (SMP w/8 CPU cores)
> Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
> 
> Versions of packages logwatch depends on:
> ii  exim4-daemon-light [mail-transport-agent]  4.88~RC6-2
> pn  perl:any                                   <none>
> 
> Versions of packages logwatch recommends:
> ii  libdate-manip-perl   6.56-1
> ii  libsys-cpu-perl      0.61-2+b1
> pn  libsys-meminfo-perl  <none>
> 
> Versions of packages logwatch suggests:
> ii  fortune-mod  1:1.99.1-7
> 
> -- no debconf information
> 
> 

--- End Message ---