main.C in maildrop 2.3.0 and earlier, when run by root with the -d
option, uses the gid of root for execution of the .mailfilter file in
a user's home directory, which allows local users to gain privileges
via a crafted file.
2.4.2 is already in the tree. I haven't seen any complains about this version.
I'll take that as an OK for stabilizing.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc s390 sh sparc x86"
Marked ppc stable for bug #308043."
Stable for HPPA.
GLSA request filed.