[15174] in Athena Bugs
Re: Ron Hoffmann: [pamurray@MIT.EDU: Re: CERT Advisory CA-97.14 - Vulnerability in metamail]
daemon@ATHENA.MIT.EDU (Bill Cattey)
Mon Jun 2 17:08:39 1997
Date: Mon, 2 Jun 1997 17:08:18 -0400 (EDT)
From: Bill Cattey <wdc@MIT.EDU>
To: Mike Barker <mbarker@MIT.EDU>
Cc: hoffmann@MIT.EDU, bugs@MIT.EDU, network@MIT.EDU, pamurray@MIT.EDU
In-Reply-To: <199706022048.QAA05140@megara.MIT.EDU>
I got a query on the metamail vulnerability.
The metamail locker contains only the source code and a single decmips
binary for mmencode, a utility to encode/decode base 64.
The metamail locker was created in case I wanted to initate a project to
actually compile and support it. The version of the source therein is
so old it doesn't even have a version number. Think of the metamail
locker as a dusty attic. At some point it will get cleaned out.
The vulnerability has NOT been corrected in the metamail locker's
source, but the next work that would ever happen there is to blow
everything away and replace it with a new version.
----
This does not mean we're out of the woods yet.
/usr/andrew/bin/metamail is present. It was built with metamail 2.6, an
ancient version of metamail which probably has many gaping holes.
Luckily, the stuff in use from there is not widely used. At this point,
the user base of metamail under /usr/andrew is too small to justify the
effort of either migrating MIT to the new Andrew, (which does not yet
exist under SGI, and which ALSO would probably have the vulnerability),
or closing the holes in the existing code base and rebuilding the
universe.
----
This does not mean we have no work to do.
Question: Does the mh MIME support install any metamail scripts? These
should be reviewed.
-wdc
