COMMAND
mhshow
SYSTEMS AFFECTED
nmh prior to 1.0.3
PROBLEM
Ruud de Rooij posted following. Versions prior to 1.0.3 of the
nmh package contained a vulnerability where incoming mail
messages with carefully designed MIME headers could cause nmh's
mhshow command to execute arbitrary shell code.
SOLUTION
This bug has been fixed in nmh 1.0.3. The fixed package is
available at
ftp://ftp.mhost.com/pub/nmh/nmh-1.0.4.tar.gz
Please note that the MIME-handling code with the security hole
dates back to nmh's ancestor MH, so MH users (at least those using
latter-day versions with MIME capability) are also strongly
encouraged to upgrade to nmh 1.0.3.
The version of nmh that was distributed in Debian GNU/Linux 2.1
was vulnerable too. This has been fixed in version
0.27-0.28-pre8-4:
http://security.debian.org/dists/stable/updates/source/nmh_0.27-0.28-pre8-4.diff.gz
http://security.debian.org/dists/stable/updates/source/nmh_0.27-0.28-pre8-4.dsc
http://security.debian.org/dists/stable/updates/source/nmh_0.27-0.28-pre8.orig.tar.gz
http://security.debian.org/dists/stable/updates/binary-alpha/nmh_0.27-0.28-pre8-4_alpha.deb
http://security.debian.org/dists/stable/updates/binary-i386/nmh_0.27-0.28-pre8-4_i386.deb
http://security.debian.org/dists/stable/updates/binary-m68k/nmh_0.27-0.28-pre8-4_m68k.deb
http://security.debian.org/dists/stable/updates/binary-sparc/nmh_0.27-0.28-pre8-4_sparc.deb
For RedHat:
intel: ftp://updates.redhat.com/5.2/i386/nmh-1.0.3-5x.i386.rpm
ftp://updates.redhat.com/6.0/i386/nmh-1.0.3-6x.i386.rpm
ftp://updates.redhat.com/6.1/i386/nmh-1.0.3-6x.i386.rpm
alpha: ftp://updates.redhat.com/5.2/alpha/nmh-1.0.3-5x.alpha.rpm
ftp://updates.redhat.com/6.0/alpha/nmh-1.0.3-6x.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/nmh-1.0.3-6x.alpha.rpm
sparc: ftp://updates.redhat.com/5.2/sparc/nmh-1.0.3-5x.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/nmh-1.0.3-6x.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/nmh-1.0.3-6x.sparc.rpm
sources: ftp://updates.redhat.com/5.2/SRPMS/nmh-1.0.3-5x.src.rpm
ftp://updates.redhat.com/6.0/SRPMS/nmh-1.0.3-6x.src.rpm
ftp://updates.redhat.com/6.1/SRPMS/nmh-1.0.3-6x.src.rpm
For FreeBSD:
1) Remove the mhshow binary, located in /usr/local/bin/mhshow.
This will prevent the viewing of MIME attachments from
within *mh.
2) Remove the mh/nmh/exmh/exmh2 ports, if you you have
installed them.
The English language version of the MH software is no longer
actively developed, and no fix is currently available. It is
unknown whether a fix to the problem will be forthcoming -
consider upgrading to use NMH instead, which is the designated
successor of the MH software. EXMH and EXMH2 can both be compiled
to use NMH instead (this is now the default behaviour). It is not
necessary to recompile EXMH/EXMH2 after reinstalling NMH. So,
remove any old versions of the mail/mh or mail/nmh ports and
perform one of the following:
1) Upgrade your entire ports collection and rebuild the
mail/nmh port.
2) Reinstall a new package obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz
3) download a new port skeleton for the nmh port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above.
The portcheckout port is available in
/usr/ports/devel/portcheckout or the package can be
obtained from:
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz
For Turbo Linux update the package from their ftp server by
running the following command:
rpm -Fv ftp://ftp.turbolinux.com/pub/updates/6.0/security/nmh-1.0.3-0.i386.rpm
The source rpm can be downloaded here:
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/nmh-1.0.3-0.src.rpm
Note: You must rebuild and install the rpm if you choose to
download and install the srpm. Simply installing the srpm alone
WILL NOT CLOSE THE SECURITY HOLE.