On 2016/03/20 13:54, Michael McConville wrote: > Stuart Henderson wrote: > > As mentioned elsewhere but wanted to get it on ports@ as well, a few > > other programs have a soft dependency on metamail, mostly newsreaders > > (tin, slrn and emacs gnus can optionally uae it). And it may be used > > in some local scripts for encoding MIME messages, there aren't many > > options for simple command-line tools to do this.. > > My main concern is how vulnerable metamail likely is. It had a > far-from-stellar record when it was popular: > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=metamail > > Because it isn't packaged with Debian or being widely used anymore, I > doubt it's getting many eyeballs. And development stopped in 1994. I > wouldn't be surprised if the latest versions of afl and Coverity could > find some scary stuff. >
I see that other BSDs have metamail and a separate package for mmencode. What do you think about about doing that and removing the main metamail port, mmencode will skip the scariest code and is probably the part that is hardest to replace (e.g. mpack/munpack don't do some of the encodings that mmencode supports).
