Vulnerability Note VU#513062
metamail contains multiple buffer overflow vulnerabilities
Multiple buffer overflows in the metamail package could allow a remote attacker to execute arbitrary code on a vulnerable system. An attacker may be able to exploit these vulnerabilities via a specially-crafted email message.
The metamail package is one of the first widely adopted packages developed to handle Multipurpose Internet Mail Extensions (MIME) data, and includes a number of programs for handling various MIME types. Although it is mostly historic, it is still in wide deployment in many environments. Two buffer overflows due to incorrect use of strcpy() have been discovered in various portions of the metamail codebase. According to an analysis published by Ulf Härnhammar:
The first buffer overflow occurs when a message has encoded non-ASCII characters in the mail headers and the part that names a character set is overly long. The root of this problem is a bad strcpy() statement in the function PrintHeader() in metamail.c. [...]
NOTE: Proof-of-concept exploit code has been published for this vulnerability.
An attacker may be able to execute code of their choosing on a vulnerable system by introducing a specially-crafted MIME attachment. The code would be executed in the context of the user who invoked the metamail program or mail handling program that launched metamail.
Apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian||Affected||-||24 Feb 2004|
|MandrakeSoft||Affected||-||19 Feb 2004|
|Red Hat Inc.||Affected||-||04 Mar 2004|
|SGI||Affected||-||04 Mar 2004|
|Slackware||Affected||-||19 Feb 2004|
CVSS Metrics (Learn More)
Thanks to Ulf Härnhammar for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: CAN-2004-0105
- Date Public: 18 Feb 2004
- Date First Published: 24 Feb 2004
- Date Last Updated: 04 Mar 2004
- Severity Metric: 14.25
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.