Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802867 - <net-mail/mailutils-3.12-r3: mail(1) processes escape sequences in bodies non-interactively, possible RCE
Summary: <net-mail/mailutils-3.12-r3: mail(1) processes escape sequences in bodies non...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://savannah.gnu.org/bugs/index.p...
Whiteboard: B1 [glsa?]
Keywords:
Depends on:
Blocks: CVE-2021-32749
  Show dependency tree
 
Reported: 2021-07-19 08:51 UTC by Hank Leininger
Modified: 2021-08-02 10:59 UTC (History)
1 user (show)

See Also:
Package list:
net-mail/mailutils-3.12-r3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2021-07-19 08:51:31 UTC
mail(1) from mailutils would process escape sequences (like ~! shellcommand) in message bodies piped/redirected in. This creates an RCE if some part of the message body is under an attacker's control, like in https://bugs.gentoo.org/802513

mail(1) from mail-client/mailx (which we get from Debian, which they got from OpenBSD) had the same issue originally, but changed to ignore escapes when not running interactively long ago.

Upstream mailutils has committed a fix to update its behavior; see $URL and https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f. Not sure if a new release is imminent, but it is a small patch and should be easy to cherry-pick.
Comment 1 Sam James archtester gentoo-dev Security 2021-07-31 01:49:09 UTC
Bumped in https://bugs.gentoo.org/802513#c12.

@eras, let us know when ready to stable.
Comment 2 NATTkA bot gentoo-dev 2021-07-31 01:52:23 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-31 14:16:43 UTC
All sanity-check issues have been resolved
Comment 4 Sam James archtester gentoo-dev Security 2021-07-31 22:12:15 UTC
arm done
Comment 5 Sam James archtester gentoo-dev Security 2021-07-31 22:21:20 UTC
ppc done
Comment 6 Sam James archtester gentoo-dev Security 2021-07-31 22:21:43 UTC
ppc64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-07-31 22:23:06 UTC
sparc done
Comment 8 Sam James archtester gentoo-dev Security 2021-08-01 02:59:19 UTC
amd64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-08-01 05:12:08 UTC
x86 done
Comment 10 Sam James archtester gentoo-dev Security 2021-08-01 23:50:55 UTC
arm64 done

all arches done
Comment 11 Sam James archtester gentoo-dev Security 2021-08-02 00:11:34 UTC
Please cleanup, thanks!
Comment 12 Larry the Git Cow gentoo-dev 2021-08-02 10:59:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b12959127f779d6ee0fb3c15fd96be2f24e74913

commit b12959127f779d6ee0fb3c15fd96be2f24e74913
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2021-08-02 10:58:50 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2021-08-02 10:58:50 +0000

    net-mail/mailutils: cleanup
    
    Bug: https://bugs.gentoo.org/802867
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/mailutils/mailutils-3.12-r2.ebuild | 143 ----------------------------
 1 file changed, 143 deletions(-)