Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
http://www.ubuntu.com/usn/USN-1032-1
http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_format
http://www.kb.cert.org/vuls/id/682457
http://www.debian.org/security/2010/dsa-2131
http://openwall.com/lists/oss-security/2010/12/10/1
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html