Advisories for Cargo/Lettre package

Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable. Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features). NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.

Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.