COMMAND

    filter (part of the elm-2.4 package)

SYSTEMS AFFECTED

    Any UNIX system running elm/filter

PROBLEM

    Following info  is based  on KSR[T]  Advisory #7.   That  advisory
    covers two vulnerabilities in the filter program.  The first is in
    the function  save_embedded_address(), filter  will use  a while()
    loop  to  copy  a  5120  byte  into a 512 byte automatic variable.
    This  is  the  'From:'  or  in  the  'Reply-To:'  line in an email
    message.   This problem  could potentially  be exploited  remotely
    depending  upon  how  the  victim's  machine's Mail Transfer Agent
    handles From: or Reply-To: headers that are larger than 512 bytes.
    This would allow  a remote attacker  to run arbitrary  commands as
    the user running filter,  and possibly additional privileges  that
    will allow the attacker to write to the mail spool directory.

    The second  is in  the function  get_filter_rules(),   there is  a
    stack overrun  when the  function blindly  strcpy()s the  variable
    filterfile( which is obtained via the command line parameter '-f')
    into an automatic variable.

    Both  attacks  can  be  performed  locally, however they will only
    increase privileges if filter is running set-uid or set-gid  (most
    notably Linux machines).   This could allow  a local user  to read
    other users' mail spools and allows write access to the mail spool
    directory.  The latter could potentially be used to interfere with
    the mail subsystem.

    The filter included in elm-2.4ME+37 also appears to be  vulnerable
    to  the   "save_embedded_address()"  attack,   but  not   to   the
    "get_filter_rules()" attack.

SOLUTION

    Filter will not be a part of elm 2.5, and is not supported in  any
    way  at  this  time.   It  is  the Elm group's recommendation that
    filter not be used.  Patch/Fix:

        http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz
        ftp://ftp.ozone.FMI.FI/KEH/elm-2.4ME+PL39.patch.gz