mail(1) from mailutils would process escape sequences (like ~! shellcommand) in message bodies piped/redirected in. This creates an RCE if some part of the message body is under an attacker's control, like in https://bugs.gentoo.org/802513 mail(1) from mail-client/mailx (which we get from Debian, which they got from OpenBSD) had the same issue originally, but changed to ignore escapes when not running interactively long ago. Upstream mailutils has committed a fix to update its behavior; see $URL and https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f. Not sure if a new release is imminent, but it is a small patch and should be easy to cherry-pick.
Bumped in https://bugs.gentoo.org/802513#c12. @eras, let us know when ready to stable.
Unable to check for sanity: > disallowed package spec (only = allowed): <net-mail/mailutils-3.12-r3
All sanity-check issues have been resolved
arm done
ppc done
ppc64 done
sparc done
amd64 done
x86 done
arm64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b12959127f779d6ee0fb3c15fd96be2f24e74913 commit b12959127f779d6ee0fb3c15fd96be2f24e74913 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2021-08-02 10:58:50 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2021-08-02 10:58:50 +0000 net-mail/mailutils: cleanup Bug: https://bugs.gentoo.org/802867 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Eray Aslan <eras@gentoo.org> net-mail/mailutils/mailutils-3.12-r2.ebuild | 143 ---------------------------- 1 file changed, 143 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3e4a6266341c7f754ede0bb2d3c6a7f37daef958 commit 3e4a6266341c7f754ede0bb2d3c6a7f37daef958 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-19 05:47:33 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-19 05:48:22 +0000 [ GLSA 202310-13 ] GNU Mailutils: unexpected processsing of escape sequences Bug: https://bugs.gentoo.org/802867 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-13.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
