Lars Wirzenius: Enemies of Carlotta, 2006


Wednesday, December 13, 2006

Enemies of Carlotta: EoC security problem fixed

My face is covered in egg.

Antti-Juhani Kaijanaho found a security problem in EoC, both the 1.0.3 and the 1.2.3 versions. The problem is that EoC did not quote shell arguments properly. I have fixed the problem in 1.2.4, which contains no other changes relative to 1.2.3. This problem has the code CVE-2006-5875.

You can find the 1.2.4 version from the EoC website: and I have also uploaded it to Debian's unstable.

Debian's stable contains 1.0.3, and I have prepared a patch for that. It is actually essentially the same patch as was used to create 1.2.4. The Debian security team has uploaded a fixed version of the 1.0.3 package to I've attached it to this message in case anyone not running Debian wants to stay with 1.0.3, but I won't be releasing a 1.0.4 unless someone really needs it (if you do, please tell me immediately).

For risk assessment: I was unable to come up with an exploit. Doing so would require getting a certain kind of construct through the SMTP level to EoC, and I wasn't able to make that happen, but I would not rely on it being impossible. Therefore, please upgrade immediately.

I apologize for this problem. It was amateurish to let the problematic code into a released version of the program, I knew better than do that.

Wednesday, July 12, 2006

Enemies of Carlotta: EoC 2.0 alpha 1

I made the alpha 1 release of the EoC version 2.0 development series available. See the EoC home page for info. (EoC is my mailing list manager.)