Hypermail long hostname buffer overflow

hypermail-long-hostname-bo (11158) The risk level is classified as HighHigh Risk


Hypermail is vulnerable to a buffer overflow, caused by improper bounds checking of user hostnames when the CGI mail program performs reverse look-ups of IP addresses. By setting an overly long hostname on their server and sending an HTTP request to the Hypermail CGI mail program, a remote attacker could overflow a buffer and execute arbitrary code on the system, once the malicious hostname is resolved.


Gain Access


Upgrade to the latest version of Hypermail (2.1.6 or later), available from the SourceForge.net Web site. See References.

For Debian/GNU Linux:
Upgrade to the latest hypermail package, as listed below. Refer to DSA-248-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 2.0b25-1.1 or later
Debian GNU/Linux 3.0 (woody): 2.1.3-2.0 or later

As a workaround, remove the CGI mail program from the cgi-bin directory, if it is not required.



  • SourceForge.net: SourceForge.net: Project Info - hypermail - convert mbox to HTML.
  • VulnWatch Mailing List, Sun Jan 26 2003 - 20:02:39 CST : Hypermail buffer overflows .
  • BID-6689: Hypermail Message Attachment Buffer Overflow Vulnerability
  • BID-6690: Hypermail CGI Mail Reverse DNS Lookup Buffer Overflow Vulnerability
  • CVE-2003-0057: Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code (1) via a long attachment filename that is not properly handled by the hypermail executable, or (2) by connecting to the mail CGI program from an IP address that reverse-resolves to a long hostname.
  • DSA-248: hypermail -- buffer overflows
  • SA8030: Debian updates to hypermail
  • SUSE-SA:2003:0012: hypermail: remote system compromise

Platforms Affected:

  • Debian Debian Linux 2.2
  • Debian Debian Linux 3.0
  • Hypermail Hypermail 2.1.3
  • Hypermail Hypermail 2.1.4
  • Hypermail Hypermail 2.1.5
  • SUSE SuSE Linux 7.1
  • SUSE SuSE Linux 7.2
  • SUSE SuSE Linux 7.3
  • SUSE SuSE Linux 8.0
  • SUSE SuSE Linux 8.1


Jan 26, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page