Colorview fails to validate that the user has access to the file supplied to the -text option. As a result, users can view arbitrary files.
/usr/sbin/colorview -text /var/spool/mail/admin
IRIX contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user passes any file name to colorview using the -text argument, which will disclose the contents of the file resulting in a loss of confidentiality.
Upgrade to version 5.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: remove the setuid bit from colorview.
#chmod u-s /usr/sbin/colorview