"Emil v2 is a filter for converting Internet Messages. It supports three basic formats: MIME, SUN Mailtool and plain old style RFC822." It is an old program from SUNET (Swedish University NETwork). Emil is one of the packages in SUSE Linux and Debian GNU/Linux. It is also one of the ports in the FreeBSD Ports Collection. The usual setup is that sendmail or procmail pipe messages from the network to Emil. At least versions 2.0.4, 2.0.5 and 2.1.0-beta9 are vulnerable to several stack-based buffer overflows while parsing and otherwise handling the filenames of attached files, while 2.1.0-beta9 also is vulnerable to some rather obscure format string bugs while printing error messages. I have attached the archive emil.advisory-data.tar.gz, with a security patch against 2.1.0-beta9 and three test messages. testmail1 and run1.sh give an example of a buffer overflow that occurs when converting files with long filenames from MIME to uuencode. testmail2 and run2.sh show a buffer overflow that occurs when parsing uuencoded files with long filenames. testmail3 and run3.sh show a buffer overflow that occurs when converting SUN Mailtool files with long filenames to MIME. -- Ulf Harnhammar http://www.advogato.org/person/metaur/
Attachment:
emil.advisory-data.tar.gz
Description: application/gzip