Based on the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=352482,
adjusted to apply correctly.

--- mm2.7/src/metamail/metamail.c	2006-02-15 16:15:08.000000000 -0500
+++ mm2.7/src/metamail/metamail.c	2006-02-15 16:19:42.000000000 -0500
@@ -447,7 +447,7 @@
         }
         LineBuf = malloc(LINE_BUF_SIZE);
         if (!LineBuf) ExitWithError(nomem);
-        sprintf(LineBuf, "--%s", boundary);
+        snprintf(LineBuf, LINE_BUF_SIZE, "--%s", boundary);
         strcpy(boundary, LineBuf);
         boundarylen = strlen(boundary);
         if (BoundaryCt >= BoundaryAlloc) {
@@ -2118,7 +2118,7 @@
                         if (boundary[0] == '"') {
                             boundary=UnquoteString(boundary);
                         }
-                        sprintf(LineBuf, "--%s", boundary);
+                        snprintf(LineBuf, LINE_BUF_SIZE, "--%s", boundary);
                         strcpy(boundary, LineBuf);
                         boundarylen = strlen(boundary);
                         if (BoundaryCt >= BoundaryAlloc) {