vm team mailing list archive

[Uday Reddy <u.s.reddy@xxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Private security bug reported:

Robert Marshall reports:

I tried running it (I have a bug to report  :-)  ) and it took around 10
minutes to prepare the email - so I think there's a bug in the bug
submission!
When it gets to vm-shrunken-headers-keymap there's miscellaneous garbage
- around 1.2 meg of it - mainly spaces but with occasional variables in it


> If you tell me which variables have potentially sensitive data and
> which seem wasteful (the keymap certainly is), I will remove them from
> the list.

In my setup
 vm-auto-folder-alist
 vm-imap-server-list - people *might* put passwords there (I know they
    shouldn't - they might have written some code which adds it?)
    Maybe a prominent warning at the head of the message saying please
    check for sensitive data to the submitter and how to signal that it
    has been removed?
 vm-imap-auto-expunge-alist ditto
 vm-spool-files
 vm-pop-foler-alist
 vm-mail-folder-alist
 vm-mail-fcc-default 
 vmpc-actions
 vmpc-conditions
 vmpc-reply-alist (maybe)

** Affects: vm
     Importance: Critical
     Assignee: Uday Reddy (reddyuday)
         Status: Confirmed

** Changed in: vm
       Status: New => Confirmed

** Changed in: vm
   Importance: Undecided => Critical

** Changed in: vm
     Assignee: (unassigned) => Uday Reddy (reddyuday)

** Changed in: vm
    Milestone: None => 8.1.0-beta

-- 
vm-submit-bug-report problems
https://bugs.launchpad.net/bugs/497479
You received this bug notification because you are a member of VM
development team, which is a direct subscriber.

Status in VM (View Mail) for Emacs: Confirmed

Bug description:
Robert Marshall reports:

I tried running it (I have a bug to report  :-)  ) and it took around 10
minutes to prepare the email - so I think there's a bug in the bug
submission!
When it gets to vm-shrunken-headers-keymap there's miscellaneous garbage
- around 1.2 meg of it - mainly spaces but with occasional variables in it


> If you tell me which variables have potentially sensitive data and
> which seem wasteful (the keymap certainly is), I will remove them from
> the list.

In my setup
 vm-auto-folder-alist
 vm-imap-server-list - people *might* put passwords there (I know they
    shouldn't - they might have written some code which adds it?)
    Maybe a prominent warning at the head of the message saying please
    check for sensitive data to the submitter and how to signal that it
    has been removed?
 vm-imap-auto-expunge-alist ditto
 vm-spool-files
 vm-pop-foler-alist
 vm-mail-folder-alist
 vm-mail-fcc-default 
 vmpc-actions
 vmpc-conditions
 vmpc-reply-alist (maybe)