msmtp 1.8.19 is released

2021-11-04

This release fixes a security problem in the minimal SMTP server msmtpd: mail addresses starting with a hyphen could be interpreted as command line options by the pipe command. This could be used to make the pipe command run arbitrary executables with the user id of the msmtpd process.

Note that msmtp itself is not affected. You are only affected if you run msmtpd without authentication and with a pipe command that does not end with -- (to separate options from arguments). Since msmtpd only accepts connections on the local interface by default, this bug can only be triggered by untrusted processes on your machine; it cannot be triggered over the network.

As a workaround, you can configure the msmtpd pipe command to end with --.
If you want to patch an older version instead of updating to 1.8.19, the relevant git commit is 2679609f72e27760f9785c3905f9943451b47a12 and this patch applies to all versions starting with 1.8.0 when used with patch -F3.