On 07.08.16 10:59, Erich Veyhl wrote:
First and foremost are unfixed security flaws. Mitre.org lists two
vulnerabilities affecting procmail since 2001: CVE-2002-2034, which
allows remote attackers to bypass the filter and execute arbitrary
code by way of specially-crafted MIME attachments,
Here:
https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2002-2034
that one is allocated to "John Hardin Procmail Email Sanitizer"¹.
It does not appear for vanilla procmail:
https://www.cvedetails.com/vulnerability-list/vendor_id-225/Procmail.html
That only ascribes one vulnerability to the current version of procmail.
and CVE-2006-5449, which uses a procmail exploit to gain access to the
Horde application framework.
Here:
https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2006-5449
That Horde vulnerability is allocated to Horde, not procmail.
That makes a great deal of sense, as a Horde vulnerability will be
exploitable by any available path, and as I have no Horde, my procmail
can't succumb to a Horde vulnerability that isn't there, I figure.
In addition, of course, there are other bugs that remain
unfixed. Matthew G. Saroff pointed out one long-standing bug, and the
procmail site itself lists a dozen or so known bugs as of 2001.
There is a list of bugs in the KNOWN_BUGS bug file in the source code.
I don't think we're compelled to fix them until we get around to it,
this century or next. (If not fixed, then they're clearly not hurting
much.)
"Just as importantly, the email landscape and the system
administration marketplace have not stood still since 2001, either. Ed
Blackman noted that procmail cannot correctly handle MIME headers
adhering to RFC 2047 (which include non-ASCII text), despite the fact
that RFC 2047 dates back to 1996. RFC 2047-formatted headers are far
from mandatory, but they do continue to rise in frequency."
Ah, Ed sounds like an academic or writer for a magazine. If that concern
became non-academic for the user community, then we might take a look at
it. In the interim, I'll agree that the email landscape landscape has
not stood still - but reserve judgement on whether it has moved
forwards.
Erik
¹ http://www.impsec.org/email-tools/procmail-security.html
--
HTML is not email, and email doesn't contain HTML, so please turn HTML
formatting OFF in your email client. We have filters in place that will
reject your message if your posting contains HTML.
- http://gpl-violations.org/mailinglists.html
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail