Slackware: /usr/bin/Mail buffer overflow
Posted by LinuxSecurity.com Team   
Slackware The sgid bit has been removed from this binary to prevent a potential security vulnerability.
=========================
/usr/bin/Mail chmoded 755
=========================

The Mail program shipped with Slackware has been shown to be subject to a
buffer overflow that, if the program is sgid (as shipped with Slackware), can
provide a malicious user with gid "mail".  Having gid "mail" does not allow a 
user any special priveleges, as the mail group hasn't been used in Slackware
for years.  There is a security advisory being passed around, but we assure
you there's no threat from the Mail flaw.  Nonetheless, holes are no fun, and
we've closed this one by removing the sgid bit from /bin/Mail.  A new 
mailx.tgz package is available in Slackware-current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/mailx.tgz

==============================================================================

As always, more information is available in the Slackware-current ChangeLog:

     ftp://ftp.slackware.com/pub/slackware/slackware-current/ChangeLog.txt


   -- Your Friendly Neighborhood Slackware Security Team
      security@slackware.com