Vulnerability in mpack allows users to eavesdrop on mails sent by any user on the system, including mails sent by root. To reduce the probability of telling something here that turns out wrong later, I wrote a little tool called "mpacktrafficripper" [2] to demonstrate and verify the exploit. When using mpack, permissions allow information disclosure 1) make a tempfile name using mktemp 2) open that file using open(..., O_CREAT|O_EXCL, 0644) 3) write to the file ^^^^ 4) close it 5) re-open the file using fopen(..., "r") 6) read from it 7) close it 8) delete the file So due to permissions 0644 everyone can read the file he opens the file for reading before it's deleted. With an open file descriptor, there should not even be a reason to hurry. So a call like # sudo mpack -s foo /etc/passwd fake@mail.com can be eavesdropped on in Debian and Gentoo. Solution: A patch could be to change create files with 0600 permissions rather than 0644 Bug Discovered by Sebastian Pipping, and forwarded via oss-security ML. Currently no reference $URL
*** This bug has been marked as a duplicate of bug 171075 ***