This patch will correct MIME security problems as referenced here http://www.securityfocus.com/archive/1/291514.
Created attachment 22911 [details, diff] patch-roaring-pengiun --- /usr/portage/dev-perl/MIME-tools/MIME-tools-5.411a-r2.ebuild 2003-06-21 17:36:36.000000000 -0400 +++ /usr/local/portage/dev-perl/MIME-tools/MIME-tools-5.411a-r4.ebuild 2003-12-31 09:25:18.000000000 -0500 @@ -24,3 +24,10 @@ dev-perl/HTML-Tagset dev-perl/HTML-Parser dev-perl/MailTools" + + src_unpack() { + unpack ${A} || die + cd ${S} + epatch ${FILESDIR}/patch-roaring-pengiun + } +
This is a dirty patch! I do not like it as is. Reason: indentation seem to be changed for no good reason. dev-perl team please review or keep us posted on when an upstream version is available.
Created attachment 23406 [details, diff] patch-roaring-pengiun Sorry for submitting a dirty patch. I have cleaned it up, did an emerge test, and tested it against MimeDefang.
Brett, Thank you. I'll try to round up one of our perl devs and get them to comment/review/merege.
This is a pretty large patch, and I can't be certain that it won't cause problems for other uses of MIME-tools. From looking at the securityfocus link, it may be the case that when MIME-tools is used for virus scanning purposes, some spliced up virus might evade the scanner and affect other computers later, I don't see a situation where the security of the Gentoo machine is affected in any way, so I wouldn't consider this a gentoo security bug. I would prefer to wait until these patches are adopted upstream before applying them in Gentoo.
Marking LATER until decision made upstream.
The security bug is when an malformed mime attachment that only outlook understandards is sent via an email. When Mimedefang or other programs try to look at the attachment with MIME-tools it comes back as malformed and passes it on. When Outlook opens the email it process's the attachment. Which in this case the attachment could be a virus.
Why hasn't this been reported on rt.cpan.org?
I am the author of the patch. It's designed to make MIME-tools cope more "sensibly" with common types of malformed messages, where "sensibly" means to behave in such a way as to offer maximum protection for programs that make the "obvious" interpretation of malformed MIME. The patch does not break any of the MIME::tools regression tests, and in over a year of widespread use, I haven't heard of any problems from this patch.
In response to Michael Cummings: "Why hasn't this been reported on rt.cpan.org?" I e-mailed the patch directly to the MIME-tools author. He did not apply it, nor did he even respond. He applied very similar changes to MIME-tools-6alpha, but for some reason is not backporting the patch to the stable 5.411a release.
(Cleaning up my resolve laters) - this patch went into the upstream version after the release in question here
