Debian Security Advisory

DSA-468-1 emil -- several vulnerabilities

Date Reported:
24 Mar 2004
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 9974.
In Mitre's CVE dictionary: CVE-2004-0152, CVE-2004-0153.
More information:

Ulf Härnhammar discovered a number of vulnerabilities in emil, a filter for converting Internet mail messages. The vulnerabilities fall into two categories:

  • CAN-2004-0152

    Buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) the decode_uuencode function. These bugs could allow a carefully crafted email message to cause the execution of arbitrary code supplied with the message when it is acted upon by emil.

  • CAN-2004-0153

    Format string bugs in statements which print various error messages. The exploit potential of these bugs has not been established, and is probably configuration-dependent.

For the stable distribution (woody) these problems have been fixed in version 2.1.0-beta9-11woody1.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you update your emil package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.