mail(1) from mailutils would process escape sequences (like ~! shellcommand) in message bodies piped/redirected in. This creates an RCE if some part of the message body is under an attacker's control, like in https://bugs.gentoo.org/802513
mail(1) from mail-client/mailx (which we get from Debian, which they got from OpenBSD) had the same issue originally, but changed to ignore escapes when not running interactively long ago.
Upstream mailutils has committed a fix to update its behavior; see $URL and https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f. Not sure if a new release is imminent, but it is a small patch and should be easy to cherry-pick.
Bumped in https://bugs.gentoo.org/802513#c12.
@eras, let us know when ready to stable.
Unable to check for sanity:
> disallowed package spec (only = allowed): <net-mail/mailutils-3.12-r3
All sanity-check issues have been resolved
all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s):
Author: Eray Aslan <email@example.com>
AuthorDate: 2021-08-02 10:58:50 +0000
Commit: Eray Aslan <firstname.lastname@example.org>
CommitDate: 2021-08-02 10:58:50 +0000
Package-Manager: Portage-3.0.20, Repoman-3.0.3
Signed-off-by: Eray Aslan <email@example.com>
net-mail/mailutils/mailutils-3.12-r2.ebuild | 143 ----------------------------
1 file changed, 143 deletions(-)