The --url parameter included in the GNU Mailutils maidag utility (versions 2.0 through 3.7) can abused to write to arbitrary files on the host operating system. By default, maidag is set to execute with setuid root permissions, which can lead to local privilege escalation through code/command execution by writing to the system's crontab or by writing to other root owned files on the operating system. This issue has been fixed in mailutils 3.8. A patch has also been offered for 3.7 (see URL submitted with this bug). The flaw has been assigned CVE-2019-18862. Reproducible: Always Steps to Reproduce: 1. Install mailutils Actual Results: The --url parameter of maidag can be used to write to arbitrary files due to the default setuid permissions.
amd64 stable
arm stable
x86 stable
ppc64 stable
ia64 stable
ppc stable
fwiw, some arm64 USE=kerberos builds are failing, but not all. USE='berkdb -bidi clients emacs -gdbm -guile -ipv6 kerberos -kyotocabinet ldap mysql nls pam postgres -python -sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8 USE='-berkdb bidi clients -emacs -gdbm guile ipv6 kerberos -kyotocabinet ldap -mysql nls pam -postgres -python sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8 Before it was failing to link with heimdal as virtual/krb5 provider, but now I converted back to mit-krb5 and it seems to still fail, but don't have fresh logs handy. Once I have cycles to spend further on this, this would be converted to a dependent bug report then. Maybe someone else wants to give those USE combinations a try meanwhile.
arm64 stable. @maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3af573c26166f7ea1a1e4aeec071866417a3d1a commit e3af573c26166f7ea1a1e4aeec071866417a3d1a Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2020-05-13 06:50:22 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2020-05-13 06:51:07 +0000 net-mail/mailutils: cleanup Bug: https://bugs.gentoo.org/700806 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/mailutils/Manifest | 2 - net-mail/mailutils/files/hdr.at | 36 ------ .../files/mailutils-3.4-MH-testsuite.patch | 70 ----------- .../files/mailutils-3.4-fix-endianness.patch | 122 ------------------ .../mailutils/files/mailutils-3.4-fno-common.patch | 11 -- net-mail/mailutils/files/nohdr.at | 26 ---- net-mail/mailutils/files/twomsg.at | 73 ----------- net-mail/mailutils/files/weed.at | 29 ----- net-mail/mailutils/mailutils-3.4-r3.ebuild | 140 --------------------- net-mail/mailutils/mailutils-3.7.ebuild | 140 --------------------- 10 files changed, 649 deletions(-)
Thanks!
This issue was resolved and addressed in GLSA 202006-12 at https://security.gentoo.org/glsa/202006-12 by GLSA coordinator Aaron Bauman (b-man).
