From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: tools@linux.kernel.org, users@linux.kernel.org
Subject: b4 v0.7.3 is available
Date: Fri, 13 Aug 2021 11:01:35 -0400 [thread overview]
Message-ID: <20210813150135.2lsc26eolfvfhpqi@nitro.local> (raw)
[-- Attachment #1: Type: text/plain, Size: 1691 bytes --]
Hello, all:
B4 stable release 0.7.3 is now available. This is a bugfix release that
addresses a few corner-cases and fixes a security issue:
- when using "b4 mbox" with messages containing malicious message-ids, b4
0.7.2 and earlier could potentially overwrite arbitrary file contents if the
message-id contains path escape characters such as "." and "/". It would be
difficult to exploit this with a meaningful result, as "b4 mbox" always
saves raw rfc2822 messages, containing full email headers. This problem does
not manifest when using "b4 am" or other subcommands as sanitization was
already applied to generated filenames.
Additional fixes in this release:
- Fixes "b4 am --guess-base" (though a much better implementation is in master)
- Ignores any trailer-like content below standard signature marker "-- "
- Fixes a crash when a header is incorrectly qp-encoded
- Fixes a crash when user locale is not utf-8 and a message is passed on stdin
Everyone must upgrade.
To upgrade, run:
pip install --upgrade b4
Or simply update to the latest git if using straight from a checkout.
---
Special thanks in this release:
- Kyle Meyer
- Rob Herring
- Uwe Kleine-König
Shortlog:
Konstantin Ryabitsev (6):
Up version to 0.7.3-dev
Don't append .git unnecessarily
Sanitize msgid before using it as savename
Don't consider signature contents for trailers
Handle decoding incorrectly encoded headers
Prepare for 0.7.3 release
Kyle Meyer (1):
Avoid decoding errors when extracting message ID from stdin
Rob Herring (1):
Allow '.git' to be a file for worktrees
-K
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
reply other threads:[~2021-08-13 15:01 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210813150135.2lsc26eolfvfhpqi@nitro.local \
--to=konstantin@linuxfoundation.org \
--cc=tools@linux.kernel.org \
--cc=users@linux.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).