The mail command (all versions, including what ships with RH 6.0 and
RH 6.1) is vulnerable to a binary zero in the first byte of a line
of a mail message.  When compiled with -O2 it gets a segmentation
violation.  Of course this is a bogus mail message but some software
generates it as I received SPAM recently that had '\0' in the magic
place and was unable to use the mail command.

When -O2 was not used at compilation, the segmentation violation did not
occur.

I have attached a diff below showing one possible fix.  For this diff,
fio.c.old is the version with all shipped patches applied from
mailx-8.1.1-9.src.rpm.

Basically, the fix is to guarantee that there is at least one non-'\0'
character in a line read from the message.  If there is not
(i.e., the first char is '\0') two problems occur:
1) count is zero, so "linebuf[count - 1] = 0" overlays the local
variable "FILE *mestmp", causing a subsequent write to that file to
get a segmentation violation since mestmp is invalid (this seems to
occur only with -O2)
2) the manipulation of the message requires that there is some text
in each line; an empty stored line is treated as the end of all
messages.


[root@k5 mailx-8.1.1]# diff -C 4 fio.c.old fio.c
*** fio.c.old   Fri Dec 31 16:00:49 1999
--- fio.c       Sat Jan  1 16:12:06 2000
***************
*** 99,113 ****
                        }
                        makemessage(mestmp);
                        return;
                }
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!               linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)) {
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
--- 99,128 ----
                        }
                        makemessage(mestmp);
                        return;
                }
+               /*
+                * In case we read some non-text, make sure there is
+                * at least one char before '\0'.  Otherwise, we'll
+                * blow up later.
+                */
+
+               if (linebuf[0] == '\0')
+                 linebuf[0] = '.';
+
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!
!               /*
!                * zap '\n' at end of line if there is one;
!                * there won't be one if line length is >= than LINESIZE;
!                */
!               if (linebuf[count - 1] == '\n')
!                       linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)){
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
[root@k5 mailx-8.1.1]#