I've attached my patch for the issue. I removed the calls to access(), and instead called setegid() to drop group permissions before opening both the input and output files. I re-raised the egid after this, because movemail needs egid mail to create a lockfile in the mail directory if it's not world-writeable. Movemail already dropped the euid with setuid() prior to opening the files, so I didn't have to deal with that. I inserted checks on the return values of all the setuid() functions, just to be safe.
I've confirmed that this resolves the vulnerability and does not break functionality.
I've attached my patch for the issue. I removed the calls to access(), and instead called setegid() to drop group permissions before opening both the input and output files. I re-raised the egid after this, because movemail needs egid mail to create a lockfile in the mail directory if it's not world-writeable. Movemail already dropped the euid with setuid() prior to opening the files, so I didn't have to deal with that. I inserted checks on the return values of all the setuid() functions, just to be safe.
I've confirmed that this resolves the vulnerability and does not break functionality.