There is a security hole in Red Hat 2.1, which installs /usr/bin/mh/inc
and /usr/bin/mh/msgchk suid root.  These programs are configured suid root
in order to bind to a privileged port for rpop authentication.  However,
there is a non-security conflict between mh and the default Red Hat 2.1
configuration in that the /etc/services lists pop-2 and pop-3 services, but
the mh utilities do lookups for a pop service, which doesn't exist, resulting
in an inability to use any of the pop functionality.  This may be a fortunate
bug, since there may be more serious security holes within the pop functions
of these two program.
   The security hole present in these two programs is that when opening
up the configuration files in the user's home directory, root privileges
are maintained, and symbolic links are followed.  This allows an arbitrary
file to to be opened.  Fortunately, the program does not simply dump the
contents of this file anywhere, and only certain formatting is allowed in
the file to be processed by the program in order to see any output.  In
the cases where it will be processed, only the first line of the file will
actually be output to the user.

                   Program: /usr/bin/mh/inc, /usr/bin/mh/msgchk
Affected Operating Systems: RedHat 2.1 linux distribution
              Requirements: account on system
                     Patch: chmod -s /usr/bin/mh/inc /usr/bin/mh/msgchk
       Security Compromise: read 1st line of some arbitrary files
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: inc & msgchk fail to check file permissions
                            before opening user configuration files
                            in the user's home directory, allowing a user
                            on the system to read the first line of any
                            file on the system with some limitations.

Exploit:
$ ln -s FILE_TO_READ ~/.mh_profile
$ /usr/bin/mh/msgchk