FWD: Serious security hole in slrn

From: Joey Hess (joeyh@debian.org)
Date: Sat Sep 22 2001 - 17:20:20 CEST


Unstable may not be vulnerable after all, since it's been using uudeview
library for a while. Stable *is* vulnerable. I'm going to get out fixed
packages ASAP (in the next hour).

----- Forwarded message from Thomas Schultz <tststs@gmx.de> -----

From: Thomas Schultz <tststs@gmx.de>
Date: 22 Sep 2001 12:33:16 GMT
To: slrn-announce@lists.sourceforge.net
Subject: Serious security hole in slrn
Organization: Pinguin online.

Hi,

During translation, Byrial Jensen <byrial@image.dk> noticed a feature
that most people (including me) never really paid attention to: When
trying to decode binaries, the built-in code executes any shell
scripts the article might contain, apparently assuming they would be
some kind of self-extracting archive.

This feature can quite obviously be abused to do evil things on your
system; for now, I decided to remove it completely from future
releases. If someone really needs it, I might re-add it (along with a
clear warning that would come up whenever it is used, however).

A simple patch that removes this feature from 0.9.7.2 is available
from <http://slrn.sourceforge.net/patches/slrn-0.9.7.2-decode.diff>.

The problem affects all versions of slrn I've ever seen - according to
changes.txt, the dangerous feature was introduced in 0.6.0 (sic! this
is _not_ 0.9.6.0!). However, you are safe if you

 - do not decode binaries at all
 - decode binaries using the uudeview library
 - are on a system that does not support piping and / or does not have
   /bin/sh (e.g. Win32)
 - make sure articles you decode don't contain the string "#!/bin/sh"

-- 
Thomas Schultz <tststs@gmx.de> * Recent news from http://slrn.sourceforge.net/
 -> [2001-09-20] slrn is going international
 -> [2001-08-20] slrn 0.9.7.2 released
 -> [2001-08-11] slrn-announce mailing list created / wishlist reviewed

----- End forwarded message ----- -- see shy jo



This archive was generated by hypermail 2.1.2 : Mon Sep 24 2001 - 12:37:10 CEST