COMMAND

    metamail

SYSTEMS AFFECTED

    Red Hat 4.2 (previous versions and others too?)

PROBLEM

    Alan Cox found vulnerabulity in metamail.  The right things to  do
    with metamail are either

        a) Use it as a course example on why not to write programs  in
           sh
        b) Throw it out and write it in C

    For the moment however this one appears to be covered ok by  using
    uudecode's -o  option to  force the  output file.   More  portable
    soulutin would be:

        sed -e '1s/.*/begin 644 audio-file/' < $1 | uudecode

    A couple of scripts  in metamail (notably sun-audio-file)  blindly
    uudecode something  assuming the  filename will  be reasonable. It
    does do things  in a /tmp  dir but if  you know someones  home dir
    and bung in  a full path  then suprise suprise  it uudecodes where
    asked - so you can send people sun-audio-file .rhosts for example.

    It seems to be sufficient to change from

    if (! $?METAMAIL_TMPDIR) then
        set METAMAIL_TMPDIR=/tmp
     endif

    cd ${METAMAIL_TMPDIR}
    uudecode < $1
    audiotool audio-file

    To use

    uudecode <$1 -o audio-file


SOLUTION

    Upgrade  to  metamail-2.7-7.2  as  soon  as  possible.  This seems
    affect anybody using metamail  - thats generally folks  using Elm.
    Several Linux distributions ship a metamail kit. A fix for  Redhat
    4.x is now available on ftp.redhat.com:

    i386:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/metamail-2.7-7.2.i386.rpm

    alpha:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/metamail-2.7-7.2.alpha.rpm

    SPARC:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/metamail-2.7-7.2.sparc.rpm