Edward Brocklesby: hacker received advance notice of zero-day vulnerabilities in MH and NMH email software


The web page for nmh, a UNIX mail client, tells us that versions prior to 1.0.3 had a back door:

All versions of nmh prior to 1.0.3 (as well as MH) contained a vulnerability where incoming mail messages with carefully designed MIME headers could cause the mhshow command to execute arbitrary shell code.

Brocklesby was maintainer of the MH package and therefore he received advance warning of the security vulnerability in both MH and NMH software. The warning was circulated in the debian-private cubby house approximately four days before a public bug report appeared. He may have received other personal emails or IRC chat messages about the issue before anybody else had time to protect their systems.

Subject: FWD: MH also vulnerable to remote attack (was Re: nmh security update)
Date: Fri, 3 Mar 2000 19:10:19 -0800
From: Joey Hess <joeyh@debian.org>
To: Edward Brocklesby <ejb@debian.org>
CC: security@bugs.debian.org

We've patched nmh, but it looks like mh may be vunerable to the same hole.

----- Forwarded message from Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> -----

Date:         Thu, 2 Mar 2000 16:37:37 -0800
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
Subject:      MH also vulnerable to remote attack (was Re: nmh security update)
To: BUGTRAQ@SECURITYFOCUS.COM

Ruud de Rooij <ruud@RUUD.ORG> writes:
> Versions prior to 1.0.3 of the nmh package contained a vulnerability
> where incoming mail messages with carefully designed MIME headers could
> cause nmh's mhshow command to execute arbitrary shell code.
>
> This bug has been fixed in nmh 1.0.3 and we encourage you to upgrade
> immediately.  The fixed package is available at
>
>   ftp://ftp.mhost.com/pub/nmh/nmh-1.0.3.tar.gz
>
> The MD5sum of nmh-1.0.3.tar.gz is 02519bf8f7ff8590ecfbee9f9500ea07.

Please note that the MIME-handling code with the security hole dates back to
nmh's ancestor MH, so MH users (at least those using latter-day versions
with MIME capability) are also strongly encouraged to upgrade to nmh 1.0.3.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.

----- End forwarded message -----

-- 
see shy jo

The rogue elements of Debian spent over $120,000 to attack my family and I with lawyers after my father died. They made no credible inquiry into the activities of real hackers. They only care about making political attacks on volunteers and our families. Security is above their pay grade.

It is now ten days after my first disclosure about the Edward Brocklesby affair and there is no comment whatsoever from the Debian security team. The only comments they make are to attack my family and I, a reprisal for raising another serious security concern.

Read more articles about the mysterious Edward Brocklesby & Debian affair.

Please see the chronological history of how the Debian harassment and abuse culture evolved.

More news and policy statements regarding my campaign for Dublin Bay South:

Please print my brochure if you want Ireland to change