Jordi,
I'm the researcher that brought the privilege escalation issue to Sergey's attention. I'll be releasing more details soon following the assignment of a CVE, but the issue revolves around the --url option, which permits the ability to write to arbitrary files. Combined with maidag being setuid root by default, the issue can lead to arbitrary command execution as root.
If you can't upgrade to mailutils 3.8 there may be a few other options.
1) The issue itself is nullified if maidag is not set as setuid. If you don't require the setuid functionality of maidag, you may want to run a `chmod u-s /usr/sbin/maidag`. Some distros strip the suid bit during installation of mailutils, so it could be that the 'flaw' is not a flaw at all for you, which can be verified with a `ls -l /usr/sbin/maidag`.
2) If you do need the setuid capability of maidag, you may be able to get away with changing the user ownership of maidag to a non-root user that's less risky.
3) It may be possible to address the issue in code by turning off setuid when utilizing the --url parameter. I think this can be handled in the following (untested) way:
In maidag/maidag.c you will find a code block like:
case mode_url:
/* FIXME: Verify if the urls are deliverable? */
delivery_fun = deliver_to_url;
break;
My guess is that if you add a block like the following in that case statement, you will effectively mitigate the issue.
int user_user_id = getuid();
#ifdef _POSIX_SAVED_IDS
seteuid(user_user_id);
#else
setreuid (geteuid(), getuid());
#endif
Mike
--