Vulnerability in mpack allows users to eavesdrop on mails sent by any user on the system, including mails sent by root.

To reduce the probability of telling something here that turns out wrong
later, I wrote a little tool called "mpacktrafficripper" [2] to
demonstrate and verify the exploit.

When using mpack, permissions allow information disclosure

  1) make a tempfile name using mktemp

  2) open that file using open(..., O_CREAT|O_EXCL, 0644)
  3) write to the file                              ^^^^
  4) close it

  5) re-open the file using fopen(..., "r")
  6) read from it
  7) close it

  8) delete the file

So due to permissions 0644 everyone can read the file he opens the file
for reading before it's deleted.  With an open file descriptor, there
should not even be a reason to hurry.

So a call like

  # sudo mpack -s foo /etc/passwd fake@mail.com

can be eavesdropped on in Debian and Gentoo.

Solution:
A patch could be to change create files with 0600 permissions rather
than 0644

Bug Discovered by Sebastian Pipping, and forwarded via oss-security ML. Currently no reference $URL