Lock.PM insecure with -T switch

Stuart Henderson stu at spacehopper.org
Tue Jun 21 19:42:53 IST 2011

On 2011-06-21, Peter Bonivart <bonivart at opencsw.org> wrote:
> On Tue, Jun 21, 2011 at 5:13 PM, Peter Bonivart <bonivart at opencsw.org> wrote:
>> Since so many of you seem to have a "problem" with this, can't one of
>> you contribute a patch to Julian?
> Just to clarify, with patch I don't mean to just add -U :) but to
> really untaint all those references.

"really" untainting would be something more than the

$foo =~ /^(.*)$/;
$foo = $1;

and similar you see everywhere... running with -U or su'ing
to the "Run as user" before starting MailScanner isn't really any
worse than this.

More information about the MailScanner mailing list