Dear Security Team, I would like to get your input on bug #849531 [1]. A short summary:
Logwatch is a log summarizer that parses various logfiles and reports a summary, either via e-mail or to stdout. Parts of the input are copied verbatim w.r.t. to their encoding to the output (e.g., usernames, URLs, etc.) However, e-mails were sent with a hard-coded Content-Type: ... encoding=ISO-8859-1. This meant that non-ascii UTF-8 characters were not displayed correctly. As part of a recent change that is already in Debian testing/unstable, the Content-Type line was modified to say that the encoding is UTF-8, obviously to ensure that utf-8 characters are displayed correctly. However, logwatch does not ensure that the output is correct utf-8, and that is claimed to be a security problem. So my question is: Is it a security issue if a script sends e-mails with encoding=utf-8, but potentially containing invalid utf-8 strings? If yes, what would be the (minimum) requirements to address this problem? thank you for your time Willi [1] https://bugs.debian.org/849531
