Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 802867

Summary: <net-mail/mailutils-3.12-r3: mail(1) processes escape sequences in bodies non-interactively, possible RCE
Product: Gentoo Security Reporter: Hank Leininger <hlein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: eras
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://savannah.gnu.org/bugs/index.php?60937
Whiteboard: B1 [glsa?]
Package list:
net-mail/mailutils-3.12-r3
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 802513    

Description Hank Leininger 2021-07-19 08:51:31 UTC 
mail(1) from mailutils would process escape sequences (like ~! shellcommand) in message bodies piped/redirected in. This creates an RCE if some part of the message body is under an attacker's control, like in https://bugs.gentoo.org/802513

mail(1) from mail-client/mailx (which we get from Debian, which they got from OpenBSD) had the same issue originally, but changed to ignore escapes when not running interactively long ago.

Upstream mailutils has committed a fix to update its behavior; see $URL and https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f. Not sure if a new release is imminent, but it is a small patch and should be easy to cherry-pick.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-31 01:49:09 UTC 
Bumped in https://bugs.gentoo.org/802513#c12.

@eras, let us know when ready to stable.
Comment 2 NATTkA bot gentoo-dev 2021-07-31 01:52:23 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-31 14:16:43 UTC 
All sanity-check issues have been resolved
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-31 22:12:15 UTC 
arm done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-31 22:21:20 UTC 
ppc done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-31 22:21:43 UTC 
ppc64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-31 22:23:06 UTC 
sparc done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-01 02:59:19 UTC 
amd64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-01 05:12:08 UTC 
x86 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-01 23:50:55 UTC 
arm64 done

all arches done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-02 00:11:34 UTC 
Please cleanup, thanks!
Comment 12 Larry the Git Cow gentoo-dev 2021-08-02 10:59:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b12959127f779d6ee0fb3c15fd96be2f24e74913

commit b12959127f779d6ee0fb3c15fd96be2f24e74913
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-08-02 10:58:50 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-08-02 10:58:50 +0000

    net-mail/mailutils: cleanup
    
    Bug: https://bugs.gentoo.org/802867
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/mailutils/mailutils-3.12-r2.ebuild | 143 ----------------------------
 1 file changed, 143 deletions(-)