TurboLinux Security Announcement: Package: nmh-1.0.2 and earlier | Linux Today

TurboLinux Security Announcement: Package: nmh-1.0.2 and earlier

Written By
Web Webster
Web Webster
Mar 22, 2000

Date: Tue, 21 Mar 2000 17:06:26 -0800 (PST)
From: Katie Moussouris k8e@mail.turbolinux.com
To: tl-security-announce@turbolinux.com
Subject: [TL-Security-Announce] nmh-1.0.2 and earlier
TLSA200008-1

TurboLinux Security Announcement

Package: nmh-1.0.2 and earlier
Date: Tue Mar 21 17:42:37 PST 2000

Affected TurboLinux versions: 6.0.2 and earlier
Vulnerability Type: remote execution of shellcode
TurboLinux Advisory ID#: TLSA200008-1
BugTraq ID#: 1018
Credits: This vulnerability was posted to the Bugtraq mailing list
on
February 28, 2000 by ruud@ruud.org (Ruud de Rooij).


A security hole was discovered in the package mentioned above.
Please update the package in your installation as soon as possible
or disable the service.


1. Problem Summary

A buffer overrun exists in nmh versions 1.0.2 and prior. Due to
improper MIME header parsing, an attacker could create a MIME
message such that the mhshow utility may be used to execute shell
code when the message is viewed.

2. Impact

An attacker can use this exploit to remotely execute code on the
machine where nmh is being used to read mail. This could easily
lead to a remote root compromise.

3. Solution

Update the package from our ftp server by running the following
command:

rpm -Fv ftp_path_to_filename

Where ftp_path_to_filename is the following:


ftp://ftp.turbolinux.com/pub/updates/6.0/security/nmh-1.0.3-0.i386.rpm

The source rpm can be downloaded here:


ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/nmh-1.0.3-0.src.rpm

**Note: You must rebuild and install the rpm if you choose to
download and install the srpm. Simply installing the srpm alone
WILL NOT CLOSE THE SECURITY HOLE.

Please verify the md5 checksum of the update before you
install:

  MD5 sum                               Package Name

f69c396498cac8c8da72e6ea122ed456 nmh-1.0.3-0.i386.rpm
27bcd2c1cb6a8424861ce26b5304cc9c nmh-1.0.3-0.src.rpm

You can find more updates on our ftp server:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/
for TL6.0 Workstation and Server security updates
ftp://ftp.turbolinux.com/pub/updates/4.0/security/
for TL4.0 Workstation and Server security updates

Our webpage for security announcements:

http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

rt-security@turbolinux.com


Subscribe to the TurboLinux Security Mailing lists:

TL-security – A moderated list for discussing security issues in
TurboLinux products.

Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

TL-security-announce – An announce-only mailing list for
security updates and alerts.

Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security-announce

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.