[ SOURCE: http://www.secureroot.com/security/advisories/9786039836.html ]

Author:   Stan Bubrouski (stan@ccs.neu.edu)

Date:   December 31, 2000

Package:  exmh

Versions affected:  2.2 and probably previous versions.

Severity:  A malicious local user could use a symlink attack to overwrite

           any file writable by the user executing exmh.



Problem: When exmh detects a problem at startup (or possibly other times,

I don't have time to investigate) it encounters errors in its code or

configuration an error dialog comes up asking the user what happened and

giving them the option to fill in an explanation and click a button to

send the bug report via e-mail to the maintainer.  If the user does

attempt to e-mail the maintainer a file named /tmp/exmhErrorMsg is created

and if the file exists and is a symlink it will follow the symlink

allowing local files to be overwritten depending on the user running exmh.



Solution: There are no known solutions at this time.



Copyright 2000 Stan Bubrouski



--

Stan Bubrouski                                       stan@ccs.neu.edu

316 Huntington Ave. Apt #676, Boston, MA 02115       (617) 377-7222