The "spam" ACL condition code contained a sscanf() call with a %s

conversion specification without a maximum field width, thereby
enabling a rogue spamd server to cause a buffer overflow. While nobody
in their right mind would setup Exim to query an untrusted spamd
server, an attacker that gains access to a server running spamd could
potentially exploit this vulnerability to run arbitrary code as the
Exim user.