Description Agostino Sarubbo 2014-12-21 18:13:45 UTC

From ${URL} :

It turns out that various versions of mailx have shell command injection 
via crafted email addresses.  These issues are different from the 
POSIX-mandated shell escape in email bodies (“~!”), which most 
implementations switch off when the input is not a terminal.

There are two main branches of mailx these days, Heirloom mailx and BSD 
mailx.

Heirloom mailx appears defunct upstream.

For BSD mailx, OpenBSD seems the canonical source these days.  I 
discussed these issues with Todd Miller, who kindly provided patches for 
their version.

*** Heirloom mailx ***

For Heirloom mailx, the numbered patches address the following issues:

0001. Do not recognize paths, mail folders, and pipes in mail addresses 
by default.  That avoids a direct command injection with syntactically 
valid email addresses starting with “|”.

Such addresses can be specified both on the command line, the mail 
headers (with “-t”) or in address lines copied over from previous mail 
while replying.

This was assigned CVE-2014-7844 for some versions of BSD mailx.  It is 
documented behavior for Heirloom mailx, and was mentioned in an old 
technical report about BSD mailx (which does not usually make its way 
into operating system installations).  The patch switches off this 
processing and updates the documentation.

0002. When invoking sendmail, prevent option processing for email 
address arguments.  This prevents changing e.g. the Postfix 
configuration file in unexpected ways.  This behavior was documented for 
BSD mailx (sort of), but not for Heirloom mailx.  We did not assign a 
CVE to this because it is more of a missing feature, and code invoking 
mailx needs adjustment in the caller as well.

0003. Make wordexp support mandatory.  (No functional change.)

0004. Prevent command execution in the expand function, which is IMHO 
unexpected.  (Not really required with patch 1, and there is still 
information disclosure/DoS potential if this expansion occurs.)  This is 
a historic vulnerability already fixed in the Debian package, 
retroactively assigned CVE-2004-2771:

    <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748>

(The Heirloom patch is slightly different because of the existing use of 
wordexp.)

*** BSD mailx ***

The unnumbered patches are for BSD mailx.  Their order is: remove_T, 
minus_f, mail_glob, expandaddr, nosendmail.  remove_T and minus_f have 
already been committed.  The remaining three roughly correspond to my 
patches 0003+0004, 0001, and 0002.

The previous BSD mailx code seems to have an implicit dependency of a 
non-option-reordering getopt.  (BSD getopt does not recognize options 
after non-option arguments, GNU getopt does.)  I think the minus_f patch 
only improves matters in this regard.

*** Fixing applications ***

Applications calling mailx with untrusted addresses which can start with 
“-” still need updating to use “--”.  This is sadly not compatible with 
older mailx versions lacking the equivalent of patch 0002.  However, 
directly calling “/usr/sbin/sendmail -i -t” with a self-constructed 
email header will work on almost all systems.

Option processing is risky for two reasons: Some of the options are 
plainly harmful (e.g., “-Sexpandaddr=@...mple.com”).  Others can be used 
to mask email addresses, which means that mailx enters read mode, where 
you can run shells using the “!” escape (which is especially problematic 
if mailx is used to send mail with partially attacker-controlled content).

For Heirloom mailx, I tried to work around this, but both Sebastian 
Krahmer and Todd Miller helpfully pointed out that I missed some 
options, and that the whole approach is unlikely to work, ever.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.