Stack-based buffer overflow in a certain Debian patch for xbuffy before 3.3.bl.3.dfsg-9 allows remote attackers to execute arbitrary code via the subject of an email, possibly related to indent subject lines.
http://www.securityfocus.com/bid/67090
http://www.openwall.com/lists/oss-security/2014/04/28/3
http://www.debian.org/security/2014/dsa-2921
http://packages.qa.debian.org/x/xbuffy/news/20140427T181904Z.html