------------------------------------------------------------------------
BCSA 019
Badly Coded, Inc. Security Advisory                   October 14th, 2019
------------------------------------------------------------------------
BCSA-019: Multiple vulnerabilities in BCMTA 2.3 allow root execution

Affected versions: 2.0 through 2.3
Fixed versions: 2.4 and later

Several vulnerabilities in versions of BCMTA up through 2.3 have come
to our attention. First, the BCMTA_LOG_FORMAT environment variable was
used as a format string without appropriate checking, allowing a
format string attack. Second, the check to determine whether a file
being used for mail delivery was owned by the correct user had a
time-of-check to time-of-use gap vulnerability, which allowed other
files to be overwritten. Finally, a new feature which allowed users to
supply code to execute as part of the message forwarding processes
allowed too many instructions, including instructions that could be
used to jump to shellcode provided by the user running BCMTA. These
vulnerabilities have been addressed in version 2.4 of BCMTA. We would
like to acknowledge a number of students from the University of
Minnesota's Computer Science and Engineering 5271 course who reported
these vulnerabilities.

All BCMTA users are recommended to upgrade at their earliest
convenience.