7. Problem description:
Also, it was possible to use specially formatted 'MAILTO'
environment variables to send commands to sendmail.
FWIW, this was fixed in FreeBSD in early 1995 by Andrey Chernov
in response to a similar hole in atrun(8) hole that I reported.
2. Theres no check for the src address and port of the replies to
forwarded calls to match the dst address and port of the original
call.
rpcbind does not check that RPC reply messages, received on the
socket used to forward CALLIT requests, have a valid source address,