Gentoo Logo

Mailutils: Multiple vulnerabilities in imap4d and mail


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200505-20 / mailutils
Release Date May 27, 2005
Latest Revision May 27, 2005: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-mail/mailutils < 0.6-r1 >= 0.6-r1 All supported architectures

Related bugreports: #94053


The imap4d server and the mail utility from GNU Mailutils contain multiple vulnerabilities, potentially allowing a remote attacker to execute arbitrary code with root privileges.

2.  Impact Information


GNU Mailutils is a collection of mail-related utilities, including an IMAP4 server (imap4d) and a Mail User Agent (mail).


infamous41d discovered several vulnerabilities in GNU Mailutils. imap4d does not correctly implement formatted printing of command tags (CAN-2005-1523), fails to validate the range sequence of the "FETCH" command (CAN-2005-1522), and contains an integer overflow in the "fetch_io" routine (CAN-2005-1521). mail contains a buffer overflow in "header_get_field_name()" (CAN-2005-1520).


A remote attacker can exploit the format string and integer overflow in imap4d to execute arbitrary code as the imap4d user, which is usually root. By sending a specially crafted email message, a remote attacker could exploit the buffer overflow in the "mail" utility to execute arbitrary code with the rights of the user running mail. Finally, a remote attacker can also trigger a Denial of Service by sending a malicious FETCH command to an affected imap4d, causing excessive resource consumption.

3.  Resolution Information


There are no known workarounds at this time.


All GNU Mailutils users should upgrade to the latest available version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/mailutils-0.6-r1"

4.  References


Page updated May 27, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.