------------------------------------------------------------------------
BCSA 015
Badly Coded, Inc. Security Advisory                     March 25th, 2019
------------------------------------------------------------------------
BCSA-015: Overflow in message address in BCMTA 1.2 allows root execution

Affected versions: 1.2 and earlier
Fixed versions: 1.3 and later

It has come to our attention that versions of BCMTA through version
1.2 contained a buffer overflow vulnerability in which an
excessively-long recipient email address could overflow a stack buffer
and allow stack smashing, including allowing root execution. A bounds
check has been added to this array access in version 1.3. Also, as a
defense in depth, the global variable that previously controlled a
feature intended only for testing has been replaced with a
compile-time configuration. We would like to acknowledge a number of
students from the University of Minnesota's Computer Science and
Engineering 5271 course who reported this vulnerability.

All BCMTA users are recommended to upgrade at their earliest
convenience.