------------------------------------------------------------------------ BCSA 018 Badly Coded, Inc. Security Advisory October 7th, 2019 ------------------------------------------------------------------------ BCSA-018: Multiple vulnerabilities in BCMTA 2.2 allow root execution Affected versions: 2.0 through 2.2 Fixed versions: 2.3 and later Several vulnerabilities in versions of BCMTA up through 2.2 have come to our attention. First, there were two faults allowing for buffer overflows, one in the function term_copy which used an unnecessary temporary buffer which was sometimes not long enough, and second in the use of the HOME environment variable to find the ".forward" file when delivering a message to the user him or herself. Second, when delivering messages to a file specified in the user's .forward file, BCMTA failed to check that the file belonged to the user the message was supposed to be delivered to, which could allow changes to system files. Also, we have determined that some of these vulnerabilities were exacerbated by premature optimization changes, such as the "accelerated_strcpy" function we introduced in version 2.2. In version 2.3 we have disabled this function and changed the compilation process to use a lower optimization level. We would like to acknowledge a number of students from the University of Minnesota's Computer Science and Engineering 5271 course who reported this vulnerability. All BCMTA users are recommended to upgrade at their earliest convenience.