This patch fixes format string vulnerability in Mailutils 0.6 imap4d search
Fix is there:
net-mail do we install any init script for imap4d and if so which user does it
run as? Please advise and bump as necessary.
No, we don't install an init script for imap4d. I'll try to bump it later.
Rerating as C1 (marginal software with specific configuration) still it is
rated as major severity.
mailutils-0.6-r2 is in CVS with that patch.
Keyworded alright, ready for GLSA
Let's have a vote, because impact is not that obvious...
Authenticated users may execute code as the user imap4d runs at. Since imap4d
apparently supports non-system auth, this may open the system to unauthorized
access... I tend to vote YES.
We don't provide an init script and only authenticated users can supposedly
exploit the vulnerability. I vote NO.
I vote YES, for the reasons koon mentioned.
yes over here, too