FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ifmail -- unsafe set-user-ID application

Affected packages
ifmail <= ifmail-2.15_4

Details

VuXML ID 746ca1ac-21ec-11d9-9289-000c41e2cdad
Discovery 2004-08-23
Entry 2004-10-19

Niels Heinen reports that ifmail allows one to specify a configuration file. Since ifmail runs set-user-ID `news', this may allow a local attacker to write to arbitrary files or execute arbitrary commands as the `news' user.

References

URL http://cvsweb.freebsd.org/ports/news/ifmail