Security holes in Metamail

Date: Fri, 24 Oct 1997 22:42:11 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in metamail

Ok Im sure the topic "vulnerability in metamail" has those who've been near
the code at the very least unsuprised. The right things to do with metamail
are either

        a) Use it as a course example on why not to write programs in sh
        b) Throw it out and write it in C

For the moment however this one appears to be covered ok by using
uudecode's -o option to force the output file.

A couple of scripts in metamail (notably sun-audio-file) blindly uudecode
something assuming the filename will be reasonable. It does do things
in a /tmp dir but if you know someones home dir and bung in a full path
then suprise suprise it uudecodes where asked - so you can send people
sun-audio-file .rhosts for example.

It seems to be sufficient to change from


if (! $?METAMAIL_TMPDIR) then
    set METAMAIL_TMPDIR=/tmp
endif

cd ${METAMAIL_TMPDIR}
uudecode < $1
audiotool audio-file

To use

uudecode <$1 -o audio-file

This isnt the only problem file tho.

This seems affect anybody using metamail - thats generally folks using Elm
and things like Andrew in some cases. Several Linux distributions ship
a metamail kit. A fix for Redhat 4.x is now available on ftp.redhat.com.

Alan