Debian Security Advisory

metamail -- It may be possible to make metamail execute arbitrary commands

Date Reported:
09 Apr 1997
Affected Packages:
Security database references:
No other external database security references currently available.
More information:

Original submitter of the report: Olaf Kirch <>

The hole may be exploitable if you let metamail run showext for messages of type message/external-body. At least tcsh, and possibly a few other csh's, do seem to do weird things when expanding command line arguments. If you give a script an argument of "foo FTP=/tmp/evilcmd", and it does

	set var=$1

this will assign foo to $var, and /tmp/evilcmd to $FTP. Unfortunately, metamail invokes showext with the MIME attributes on the command line, so you basically send it a header like this

   Content-type:  message/external-body;
	   mode="image FTP=/tmp/evilcmd"

Further below, the script will run $FTP to initiate the FTP connection. Up to now, I have not been able to pass arguments to the command, but that doesn't mean that you can't do interesting things with the above.

[Patch removed due to age.]