Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.

Ulf Harnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile(), PrintHeader(), and ShareThisHeader().

These vulnerabilities could be triggered by a maliciously formatted email message if `metamail' or `splitmail' is used to process it, possibly resulting in arbitrary code execution with the privileges of the user reading mail.

Metamail is a set of utilities for processing MIME mail. New metamail packages are available for Slackware 8.1, 9.0, 9.1, and -current.
These fix two format string bugs and two buffer overflows which could lead to unauthorized code execution. Thanks to Ulf H&auml;rnhammar for discovering these problems and providing a patch.

Ulf Harnhammar discovered two format string bugs ( CAN-2004-0104) and two buffer overflow bugs ( CAN-2004-0105) in metamail, an implementation of MIME. An attacker could create a carefully-crafted mail message which will execute arbitrary code as the victim when it is opened and parsed through metamail.

We have been devoting some effort to trying to avoid shipping metamail in the future. It became unmaintainable and these are probably not the last of the vulnerabilities.

The remote host is affected by the vulnerability described in GLSA-200405-17 (Multiple vulnerabilities in metamail)

    Ulf Harnhammar found two format string bugs and two buffer overflow bugs in     Metamail.
  Impact :

    A remote attacker could send a malicious email message and execute     arbitrary code with the rights of the process calling the Metamail program.
  Workaround :

    There is no known workaround at this time.

Two format string and two buffer overflow vulnerabilities were discovered in metamail by Ulf Harnhammar. The updated packages are patched to fix these holes.

Updated metamail packages that fix a number of vulnerabilities are now available.

Metamail is a system for handling multimedia mail.

Ulf Harnhammar discovered two format string bugs and two buffer overflow bugs in versions of Metamail up to and including 2.7. An attacker could create a carefully-crafted message such that when it is opened by a victim and parsed through Metamail, it runs arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0104 (format strings) and CVE-2004-0105 (buffer overflows) to these issues.

Users of Red Hat Enterprise Linux 2.1 are advised to upgrade to these erratum packages, which contain a backported security patch and are not vulnerable to these issues. Please note that Red Hat Enterprise Linux 3 does not contain Metamail and is therefore not vulnerable to these issues.

Red Hat would like to thank Ulf Harnhammar for the notification and patch for these issues.

ID	Name	Product	Family	Severity
36766	FreeBSD : metamail format string bugs and buffer overflows (a20082c3-6255-11d8-80e3-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
18770	Slackware 8.1 / 9.0 / 9.1 / current : metamail security update (SSA:2004-049-02)	Nessus	Slackware Local Security Checks	high
15286	Debian DSA-449-1 : metamail - buffer overflow, format string bugs	Nessus	Debian Local Security Checks	high
14503	GLSA-200405-17 : Multiple vulnerabilities in metamail	Nessus	Gentoo Local Security Checks	high
14114	Mandrake Linux Security Advisory : metamail (MDKSA-2004:014)	Nessus	Mandriva Local Security Checks	high
12471	RHEL 2.1 : metamail (RHSA-2004:073)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2004-0105

critical

Tenable Plugins

high

high

high

high

high

high