joernchen of Phenoelit discovered two command injection flaws in Sup, a console-based email client. An attacker might execute arbitrary command if the user opens a maliciously crafted email. CVE-2013-4478 Sup wrongly handled the filename of attachments. CVE-2013-4479 Sup did not sanitize the content-type of attachments.

For the oldstable distribution (squeeze), these problems have been fixed in version 0.11-2+nmu1+deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 0.12.1+git20120407.aaa852f-1+deb7u1. We recommend that you upgrade your sup-mail packages.

Sup is a console-based email client for people with a lot of email. It supports tagging, very fast full-text search, automatic contact-list management, custom code insertion via a hook system, and more. If you're the type of person who treats email as an extension of your long-term memory, Sup is for you.

sup-mail on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2805.html

---

Updated on 2015-03-25