A problem in the bug reporting system for exmh, an X-based interface for the MH mail, can cause overwriting of arbitrary system files that are writable by the user running exmh. When exmh encounters a problem in its code, it opens a dialog that asks the user what happened and then allows them to send a bug report to the author. If the user chooses to e-mail the bug report, exmh creates the file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink, overwriting the file that it is linked to.
This vulnerability applies to all versions of exmh 2.2 and earlier. However, users of these versions can set the TMPDIR or EXMHTMPDIR environment variables to change the /tmp choice. This feature already exists and you do not need to apply the patch to enable it. Any exmh user can avoid the attack by setting either of these environment variables to a directory they own.
The default of /tmp has been changed with a fix to the env.tcl file that decides which directory to use for temporary files. Instead of using /tmp as the default, the program now uses /tmp/username and ensures that the directory is owned and write-only to the user.
This fix is in exmh-2.3.
Users can apply the patch to their env.tcl, or simply install a new version of that file.