FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ifmail -- unsafe set-user-ID application

Affected packages
ifmail <= 2.15_4

Details

VuXML ID 746ca1ac-21ec-11d9-9289-000c41e2cdad
Discovery 2004-08-23
Entry 2004-10-19
Modified 2015-05-01

Niels Heinen reports that ifmail allows one to specify a configuration file. Since ifmail runs set-user-ID `news', this may allow a local attacker to write to arbitrary files or execute arbitrary commands as the `news' user.

References

URL https://svnweb.freebsd.org/changeset/ports/120295