------------------------------------------------------------------------ BCSA 017 Badly Coded, Inc. Security Advisory September 30th, 2019 ------------------------------------------------------------------------ BCSA-017: Failure to drop privilege in BCMTA 2.1 allows root execution Affected versions: 2.0 and 2.1 Fixed versions: 2.2 and later BCMTA drops its privileges to run commands in a user's .forward file using the privileges of that user themselves. However because of a logic error, versions 2.0 and 2.1 of BCMTA dropped privilege only the first time a message was delivered to a command in a .forward file, and not on subsequent commands. In the default configuration where BCMTA runs as root, this allows local privilege escalation. Version 2.2 of BCMTA fixes this bug so that privilege dropping occurs for each command. We would like to acknowledge a number of students from the University of Minnesota's Computer Science and Engineering 5271 course who reported this vulnerability. All BCMTA users are recommended to upgrade at their earliest convenience.