Bug 802867

Summary:	<net-mail/mailutils-3.12-r3: mail(1) processes escape sequences in bodies non-interactively, possible RCE
Product:	Gentoo Security	Reporter:	Hank Leininger <hlein>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	eras
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://savannah.gnu.org/bugs/index.php?60937
Whiteboard:	B1 [glsa+]
Package list:	net-mail/mailutils-3.12-r3	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	802513

Description Hank Leininger 2021-07-19 08:51:31 UTC

mail(1) from mailutils would process escape sequences (like ~! shellcommand) in message bodies piped/redirected in. This creates an RCE if some part of the message body is under an attacker's control, like in https://bugs.gentoo.org/802513

mail(1) from mail-client/mailx (which we get from Debian, which they got from OpenBSD) had the same issue originally, but changed to ignore escapes when not running interactively long ago.

Upstream mailutils has committed a fix to update its behavior; see $URL and https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f. Not sure if a new release is imminent, but it is a small patch and should be easy to cherry-pick.

Comment 1 Sam James archtester

2021-07-31 01:49:09 UTC

Bumped in https://bugs.gentoo.org/802513#c12.

@eras, let us know when ready to stable.

Comment 2 NATTkA bot gentoo-dev

2021-07-31 01:52:23 UTC Comment hidden (obsolete)

Unable to check for sanity:

> disallowed package spec (only = allowed): <net-mail/mailutils-3.12-r3

Comment 3 NATTkA bot gentoo-dev

2021-07-31 14:16:43 UTC

All sanity-check issues have been resolved

Comment 4 Sam James archtester

2021-07-31 22:12:15 UTC

arm done

Comment 5 Sam James archtester

2021-07-31 22:21:20 UTC

ppc done

Comment 6 Sam James archtester

2021-07-31 22:21:43 UTC

ppc64 done

Comment 7 Sam James archtester

2021-07-31 22:23:06 UTC

sparc done

Comment 8 Sam James archtester

2021-08-01 02:59:19 UTC

amd64 done

Comment 9 Sam James archtester

2021-08-01 05:12:08 UTC

x86 done

Comment 10 Sam James archtester

2021-08-01 23:50:55 UTC

arm64 done

all arches done

Comment 11 Sam James archtester

2021-08-02 00:11:34 UTC

Please cleanup, thanks!

Comment 12 Larry the Git Cow gentoo-dev

2021-08-02 10:59:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b12959127f779d6ee0fb3c15fd96be2f24e74913

commit b12959127f779d6ee0fb3c15fd96be2f24e74913
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-08-02 10:58:50 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-08-02 10:58:50 +0000

    net-mail/mailutils: cleanup
    
    Bug: https://bugs.gentoo.org/802867
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/mailutils/mailutils-3.12-r2.ebuild | 143 ----------------------------
 1 file changed, 143 deletions(-)

Comment 13 Larry the Git Cow gentoo-dev

2023-10-19 05:48:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3e4a6266341c7f754ede0bb2d3c6a7f37daef958

commit 3e4a6266341c7f754ede0bb2d3c6a7f37daef958
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-19 05:47:33 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-19 05:48:22 +0000

    [ GLSA 202310-13 ] GNU Mailutils: unexpected processsing of escape sequences
    
    Bug: https://bugs.gentoo.org/802867
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-13.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)