From ${URL} : It turns out that various versions of mailx have shell command injection via crafted email addresses. These issues are different from the POSIX-mandated shell escape in email bodies (“~!”), which most implementations switch off when the input is not a terminal. There are two main branches of mailx these days, Heirloom mailx and BSD mailx. Heirloom mailx appears defunct upstream. For BSD mailx, OpenBSD seems the canonical source these days. I discussed these issues with Todd Miller, who kindly provided patches for their version. *** Heirloom mailx *** For Heirloom mailx, the numbered patches address the following issues: 0001. Do not recognize paths, mail folders, and pipes in mail addresses by default. That avoids a direct command injection with syntactically valid email addresses starting with “|”. Such addresses can be specified both on the command line, the mail headers (with “-t”) or in address lines copied over from previous mail while replying. This was assigned CVE-2014-7844 for some versions of BSD mailx. It is documented behavior for Heirloom mailx, and was mentioned in an old technical report about BSD mailx (which does not usually make its way into operating system installations). The patch switches off this processing and updates the documentation. 0002. When invoking sendmail, prevent option processing for email address arguments. This prevents changing e.g. the Postfix configuration file in unexpected ways. This behavior was documented for BSD mailx (sort of), but not for Heirloom mailx. We did not assign a CVE to this because it is more of a missing feature, and code invoking mailx needs adjustment in the caller as well. 0003. Make wordexp support mandatory. (No functional change.) 0004. Prevent command execution in the expand function, which is IMHO unexpected. (Not really required with patch 1, and there is still information disclosure/DoS potential if this expansion occurs.) This is a historic vulnerability already fixed in the Debian package, retroactively assigned CVE-2004-2771: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748> (The Heirloom patch is slightly different because of the existing use of wordexp.) *** BSD mailx *** The unnumbered patches are for BSD mailx. Their order is: remove_T, minus_f, mail_glob, expandaddr, nosendmail. remove_T and minus_f have already been committed. The remaining three roughly correspond to my patches 0003+0004, 0001, and 0002. The previous BSD mailx code seems to have an implicit dependency of a non-option-reordering getopt. (BSD getopt does not recognize options after non-option arguments, GNU getopt does.) I think the minus_f patch only improves matters in this regard. *** Fixing applications *** Applications calling mailx with untrusted addresses which can start with “-” still need updating to use “--”. This is sadly not compatible with older mailx versions lacking the equivalent of patch 0002. However, directly calling “/usr/sbin/sendmail -i -t” with a self-constructed email header will work on almost all systems. Option processing is risky for two reasons: Some of the options are plainly harmful (e.g., “-Sexpandaddr=@...mple.com”). Others can be used to mask email addresses, which means that mailx enters read mode, where you can run shells using the “!” escape (which is especially problematic if mailx is used to send mail with partially attacker-controlled content). For Heirloom mailx, I tried to work around this, but both Sebastian Krahmer and Todd Miller helpfully pointed out that I missed some options, and that the whole approach is unlikely to work, ever. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2004-2771 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-2771): The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.
@ Maintainer(s): Please bump current upstream version 8.1.2-0.20160123cvs-3.
@Maintainers ping Gentoo Security Padawan ChrisADR
net-mail please review and merge https://github.com/gentoo/gentoo/pull/6710
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=660d273f56e614c8d601d001dcfc72527b7a530f commit 660d273f56e614c8d601d001dcfc72527b7a530f Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2018-01-01 18:49:00 +0000 Commit: Anthony G. Basile <blueness@gentoo.org> CommitDate: 2018-01-01 19:58:18 +0000 mail-client/mailx: drop vulnerable Bug: https://bugs.gentoo.org/533208 Package-Manager: Portage-2.3.19, Repoman-2.3.6 mail-client/mailx/mailx-8.1.2.20050715-r7.ebuild | 58 ------------------------ 1 file changed, 58 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5b1059c8e1dec352bf549be349bd8082623e8db commit e5b1059c8e1dec352bf549be349bd8082623e8db Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2018-01-01 18:47:56 +0000 Commit: Anthony G. Basile <blueness@gentoo.org> CommitDate: 2018-01-01 19:58:13 +0000 mail-client/mailx: version bump to 8.1.2.20160123 Closes: https://bugs.gentoo.org/485432 Closes: https://bugs.gentoo.org/554354 Bug: https://bugs.gentoo.org/533208 Package-Manager: Portage-2.3.19, Repoman-2.3.6 mail-client/mailx/Manifest | 2 + mail-client/mailx/mailx-8.1.2.20160123.ebuild | 55 +++++++++++++++++++++++++++ 2 files changed, 57 insertions(+)}
ia64 stable
ppc/ppc64 stable
amd64 stable
x86 stable
Stable on alpha.
arm stable
New GLSA Request filed. @hppa please finish stabilization. Thank you
This issue was resolved and addressed in GLSA 201804-06 at https://security.gentoo.org/glsa/201804-06 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arch and cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=651a166733627b5dd5145d4a788fc3645f2a371d commit 651a166733627b5dd5145d4a788fc3645f2a371d Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-09 17:59:13 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-09 18:42:02 +0000 mail-client/mailx: stable 8.1.2.20160123 for hppa/sparc Bug: https://bugs.gentoo.org/533208 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="hppa sparc" mail-client/mailx/mailx-8.1.2.20160123.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Some arches are still pending to stabilize
(In reply to Sergei Trofimovich from comment #7) > ppc/ppc64 stable Sergei, did you miss a push here?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4958a02fad4303587c98a4025bf6c5c088e31226 commit 4958a02fad4303587c98a4025bf6c5c088e31226 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-05-26 14:08:58 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-26 14:08:58 +0000 mail-client/mailx: drop vulnerable Bug: https://bugs.gentoo.org/533208 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/mailx/Manifest | 2 - .../mailx/files/mailx-8.1.2.20050715-nostrip.patch | 22 ------- mail-client/mailx/mailx-8.1.2.20050715-r6.ebuild | 71 ---------------------- 3 files changed, 95 deletions(-)