From xemacs-m  Thu Sep 25 14:20:50 1997
Received: from wfdutilgw.ml.com (wfdutilf01.ml.com [206.3.74.31])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id OAA22912
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 14:20:49 -0500 (CDT)
Received: from ml1.ml.com ([199.201.57.130])
	by wfdutilgw.ml.com (8.8.7/8.8.7/MLgwo-3.05) with ESMTP id PAA21946
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 15:21:28 -0400 (EDT)
Received: from commpost.ml.com (commpost.ml.com [146.125.4.24])
	by ml1.ml.com (8.8.5/8.8.5/MLml4-2.07) with SMTP id PAA28942
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 15:20:22 -0400 (EDT)
Received: from spssunp.spspme.ml.com (spssunp.spspme.ml.com [192.168.111.13]) by commpost.ml.com (8.6.12/8.6.12) with ESMTP id PAA17840 for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 15:20:20 -0400
Received: by spssunp.spspme.ml.com (SMI-8.6/SMI-4.1)
	id PAA01209; Thu, 25 Sep 1997 15:20:21 -0400
To: XEmacs Beta List <xemacs-beta@xemacs.org>
Subject: Re: Fatal serious (security) flaw in XEmacs 19.16/20.3
References: <m2zpp22ae9.fsf@altair.xemacs.org> <ocrsout5vgm.fsf@ml.com> <m23emtl2cq.fsf@altair.xemacs.org>
X-Face: ByE+UMAp1klWR3?\RNGx(A-~Ri!YT%C6M!sxoJL+.;9`Q/|+dj7[KR>gGMyV.2qZeot0NI`4\MA^_Qg`F9=+Ox&zaE?Y9dV%F~Xzf';Zyk2Aobs.uu^Ey0_C6^~q';G#$HkA!ZAHXPpG-"*|Dd*Z4U$4y{{aI0c%75}i~Of(jxYtI[uIpYF<*Zoe|\*/ufb
X-Y-Zippy: Were these parsnips CORRECTLY MARINATED in TACO SAUCE?
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
From: Colin Rafferty <craffert@ml.com>
Date: 25 Sep 1997 15:20:20 -0400
In-Reply-To: SL Baur's message of "25 Sep 1997 10:39:33 -0700"
Message-ID: <ocrafh15hfv.fsf@ml.com>
Lines: 23
X-Mailer: Gnus v5.5/XEmacs 20.3(beta23) - "Sarajevo"

SL Baur writes:
> Colin Rafferty <craffert@ml.com> writes:

>>> [1]  A unit definition of `show stopper' if there ever was one.

>> What is the security flaw?

> Stack overrun.  Cookbooks are available to take advantage of such
> flaws.

> The directory/filename code is a particularly dangerous subsystem for
> this to occur in because of named MIME attachments.

I hadn't thought about MIME stuff.  While I am a strong opponent of
running "Local Variables:" in email message (for the obvious reasons), I
never thought about the fact that I blindly hit `e' on MIME attachments.

Maybe I should come up with a good long file name that, when overflown,
will cause XEmacs to mail me back a copy of your lossage, so that I can
learn your PGP password. :-)

-- 
Colin

