COMMAND

    metamail

SYSTEMS AFFECTED

    See below

PROBLEM

    Multipurpose Internet Mail Extensions (MIME) is a standard  format
    for extended  Internet electronic  mail. The  MIME format  permits
    email  to  include  enhanced  text,  graphics,  and  audio  in   a
    standardized and interoperable manner.  MIME is described in  RFCs
    2045 through 2049.

    Metamail  is  a  package  that  implements  MIME.  Metamail can be
    obtained from:

        ftp://ftp.funet.fi/pub/unix/mail/metamail/mm2.7.tar.Z).

    Using a  configurable "mailcap"  file, metamail  determines how to
    treat  blocks  of  electronic  mail  text  based on the content as
    described by  email headers.  Some popular  packages for  handling
    electronic  mail  have  hooks  that  allow  metamail  to be called
    automatically while a message is being processed.

    A  condition  exists  in  metamail  in which there is insufficient
    variable checking in some  support scripts. By carefully  crafting
    appropriate message headers,  a sender can  cause the receiver  of
    the  message  to  execute  an  arbitrary  command  if the receiver
    processes the message using the metamail package.

    A sender of a MIME encoded mail message can cause the receiver  to
    execute an arbitrary  command. If the  attacker has an  account on
    the target  user's local  system or  if the  target user's  system
    supports AFS or another distributed filesystem, then the  attacker
    can  arrange  for  the  arbitrary  command  to be one the attacker
    created.

    This  affects  versions  of  metamail  through  2.7  (the  current
    version).

SOLUTION

    If  your  vendor  supplies  metamail  with  its distribution, then
    install  a  patch  from  your  vendor.  If  your  vendor  does not
    distribute metamail with their products  or does not have a  patch
    available, use the workarounds below.

    The following vendors are vulnerable to this:
    Hewlett-Packard Company
    =======================
    HP-UX is vulnerable; patches are in progress.

    Linux
    =====
    Red Hat:
    All  versions  of  Red  Hat  are  vulnerable. A replacement RPM is
    available at:

        ftp://ftp.redhat.com/pub/redhat/updates/4.1/i386/metamail-2.7-7.i386.rpm

    Silicon Graphics Inc.
    =====================
    not sure

    You can also  disable metamail scripts.   To disable the  metamail
    scripts, remove the execute permissions from the scripts that  are
    located  in  the  mm2.7/src/bin  directory  of  metamail v2.7 (the
    latest version  of metamail).   Remember that,  depending on  your
    installation  of  metamail,  the  scripts  may be located in other
    directories in your operating system.

    You can also patch metamail yourself.  For info see CERT  advisory
    CA-97.14 (www.cert.org).