Not sure if 2.4* is affected ---------------------------------- Version(s): 2.5 PL5, 2.5 PL6, and 2.5 PL7; possibly others Description: A vulnerability was reported in Elm. A remote user can cause arbitrary code to be executed on the target user's system. The software does not properly parse SMTP Expires header lines. A remote user can send e-mail with a specially crafted Expires header value. Then, when the target user loads Elm or views the inbox, a buffer overflow will be triggered and arbitrary code may be executed. The code will run with the privileges of the target user. Ulf Harnhammar reported this vulnerability. Impact: A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user. Solution: Elm 2.5 PL8 (available at ftp://ftp.virginia.edu/pub/elm/) is not vulnerable.
net-mail, please verify if we are affected and bump if necessary.
I can open the supplied test message in elm-2.4_rc100-r1 (the only version provided by us) just fine. What exactly is it supposed to do, anyway?
Ok, i then assume that we are not vulnerable. I also had a short (really short, so don't take this as last word) look at the code and couldn't find the file that needs fixing or something that could come close so i'm closing this as invalid. Feel free to reopen if you disagree.
*** Bug 112582 has been marked as a duplicate of this bug. ***