> > Problem: URL handler allows embedded commands.
> > May allow email viruses of the Outlook kind.
>
> > http://address/'&/some/program${IFS}with${IFS}arguments&'
>
> Isn't that old news? http://www.securityfocus.com/bid/810
>
> I *can* be wrong, but it looks like it is the same problem...

SuSE pine packages contain a patch that makes pine use environment
variables to pass on the URL to the viewer. The patch is attached - I'm
not sure who made it, but it looks like from Olaf Kirch.

Roman.

-- 
 -                                                                      -
| Roman Drahtmüller      <drahtsuse.de> // "You don't need eyes to see, |
  SuSE GmbH - Security           Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -

• TEXT/PLAIN attachment: pine-4.33-security.patch

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]