[Bug 194290] New: CVE-2006-2447 spamassassin arbitrary command execution

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.




https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194290

           Summary: CVE-2006-2447 spamassassin arbitrary command execution
           Product: Fedora Core
           Version: fc5
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: normal
         Component: spamassassin
        AssignedTo: wtogami at redhat.com
        ReportedBy: bressers at redhat.com
                CC: fedora-perl-devel-
                    list at redhat.com,felicity at kluge.net,jm at jmason.org,parkerm
                    @pobox.com,reg+redhat at sidney.com,security-response-
                    team at redhat.com,wtogami at redhat.com


+++ This bug was initially created as a clone of Bug #193865 +++

CVE-2006-2447 spamassassin arbitrary command execution

If spamd is run with the
"-v" / "--vpopmail" switch, AND with the "-P" / "--paranoid" switch
It becomes possible to execute arbitrary commands as the user spamd is
running as.

This issue is mitigated by the fact that no imap servers as shipped
with RHEL support vpopmail.  These options are also not the default
spamd options when it is started as a service.


This issue should also affect FC4

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.