A flaw in how the spamass-milter processed user-supplied input was reported . If spamass-milter is run with the expand (-x) option, it calls popen() in a way that includes the attacker supplied recipient (RCPT TO). For example:
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me at me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
The report claims this can result in remote root code execution, however in Fedora spamass-milter is run with the privileges of the dedicated sa-milt user, reducing the scope and impact of this flaw. As well, by default, spamass-milter does not run with the -x (expand) option, which is required to be able to exploit this flaw.
It does not look as though an upstream release has been made in many years, and the report does not provide a fix to the issue, although it does note the vulnerable popen() call.
This issue has been assigned CVE-2010-1132.
Is this not a duplicate of Bug #572117 ?
Oh good grief. Yes, it absolutely is. Sorry about that; I'll fix these bugs up.
*** This bug has been marked as a duplicate of bug 572117 ***