Boris pi Piwinger and Tavis Ormandy reported a heap overflow vulnerability in procmail's formail utility when processing specially-crafted email headers. A remote attacker could use this flaw to cause formail to crash, resulting in a denial of service or data loss, or possibly execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in version 3.22-20+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.22-22. We recommend that you upgrade your procmail packages.

Can be used to create mail-servers, mailing lists, sort your incoming mail into separate folders/files (very convenient when subscribing to one or more mailing lists or for prioritising your mail), preprocess your mail, start any programs upon mail arrival (e.g. to generate different chimes on your workstation for different types of mail) or selectively forward certain incoming mail automatically to someone.

procmail on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-3019.html

---

Updated on 2015-03-25