Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533208 (CVE-2004-2771, CVE-2014-7844) - <mail-client/mailx-8.1.2.20160123: Multiple vulnerabilities
Summary: <mail-client/mailx-8.1.2.20160123: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2004-2771, CVE-2014-7844
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-21 18:13 UTC by Agostino Sarubbo
Modified: 2018-05-26 14:09 UTC (History)
2 users (show)

See Also:
Package list:
=mail-client/mailx-8.1.2.20160123
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-21 18:13:45 UTC
From ${URL} :

It turns out that various versions of mailx have shell command injection 
via crafted email addresses.  These issues are different from the 
POSIX-mandated shell escape in email bodies (“~!”), which most 
implementations switch off when the input is not a terminal.

There are two main branches of mailx these days, Heirloom mailx and BSD 
mailx.

Heirloom mailx appears defunct upstream.

For BSD mailx, OpenBSD seems the canonical source these days.  I 
discussed these issues with Todd Miller, who kindly provided patches for 
their version.

*** Heirloom mailx ***

For Heirloom mailx, the numbered patches address the following issues:

0001. Do not recognize paths, mail folders, and pipes in mail addresses 
by default.  That avoids a direct command injection with syntactically 
valid email addresses starting with “|”.

Such addresses can be specified both on the command line, the mail 
headers (with “-t”) or in address lines copied over from previous mail 
while replying.

This was assigned CVE-2014-7844 for some versions of BSD mailx.  It is 
documented behavior for Heirloom mailx, and was mentioned in an old 
technical report about BSD mailx (which does not usually make its way 
into operating system installations).  The patch switches off this 
processing and updates the documentation.

0002. When invoking sendmail, prevent option processing for email 
address arguments.  This prevents changing e.g. the Postfix 
configuration file in unexpected ways.  This behavior was documented for 
BSD mailx (sort of), but not for Heirloom mailx.  We did not assign a 
CVE to this because it is more of a missing feature, and code invoking 
mailx needs adjustment in the caller as well.

0003. Make wordexp support mandatory.  (No functional change.)

0004. Prevent command execution in the expand function, which is IMHO 
unexpected.  (Not really required with patch 1, and there is still 
information disclosure/DoS potential if this expansion occurs.)  This is 
a historic vulnerability already fixed in the Debian package, 
retroactively assigned CVE-2004-2771:

    <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748>

(The Heirloom patch is slightly different because of the existing use of 
wordexp.)

*** BSD mailx ***

The unnumbered patches are for BSD mailx.  Their order is: remove_T, 
minus_f, mail_glob, expandaddr, nosendmail.  remove_T and minus_f have 
already been committed.  The remaining three roughly correspond to my 
patches 0003+0004, 0001, and 0002.

The previous BSD mailx code seems to have an implicit dependency of a 
non-option-reordering getopt.  (BSD getopt does not recognize options 
after non-option arguments, GNU getopt does.)  I think the minus_f patch 
only improves matters in this regard.

*** Fixing applications ***

Applications calling mailx with untrusted addresses which can start with 
“-” still need updating to use “--”.  This is sadly not compatible with 
older mailx versions lacking the equivalent of patch 0002.  However, 
directly calling “/usr/sbin/sendmail -i -t” with a self-constructed 
email header will work on almost all systems.

Option processing is risky for two reasons: Some of the options are 
plainly harmful (e.g., “-Sexpandaddr=@...mple.com”).  Others can be used 
to mask email addresses, which means that mailx enters read mode, where 
you can run shells using the “!” escape (which is especially problematic 
if mailx is used to send mail with partially attacker-controlled content).

For Heirloom mailx, I tried to work around this, but both Sebastian 
Krahmer and Todd Miller helpfully pointed out that I missed some 
options, and that the whole approach is unlikely to work, ever.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-01 23:16:33 UTC
CVE-2004-2771 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-2771):
  The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD
  mailx 8.1.2 and earlier allows remote attackers to execute arbitrary
  commands via shell metacharacters in an email address.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-01 17:43:54 UTC
@ Maintainer(s): Please bump current upstream version 8.1.2-0.20160123cvs-3.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 04:23:04 UTC
@Maintainers ping

Gentoo Security Padawan
ChrisADR
Comment 4 Matthias Maier gentoo-dev 2018-01-01 19:10:47 UTC
net-mail please review and merge https://github.com/gentoo/gentoo/pull/6710
Comment 5 Larry the Git Cow gentoo-dev 2018-01-01 20:00:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=660d273f56e614c8d601d001dcfc72527b7a530f

commit 660d273f56e614c8d601d001dcfc72527b7a530f
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-01-01 18:49:00 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2018-01-01 19:58:18 +0000

    mail-client/mailx: drop vulnerable
    
    Bug: https://bugs.gentoo.org/533208
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 mail-client/mailx/mailx-8.1.2.20050715-r7.ebuild | 58 ------------------------
 1 file changed, 58 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5b1059c8e1dec352bf549be349bd8082623e8db

commit e5b1059c8e1dec352bf549be349bd8082623e8db
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-01-01 18:47:56 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2018-01-01 19:58:13 +0000

    mail-client/mailx: version bump to 8.1.2.20160123
    
    Closes: https://bugs.gentoo.org/485432
    Closes: https://bugs.gentoo.org/554354
    Bug: https://bugs.gentoo.org/533208
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 mail-client/mailx/Manifest                    |  2 +
 mail-client/mailx/mailx-8.1.2.20160123.ebuild | 55 +++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)}
Comment 6 Sergei Trofimovich gentoo-dev 2018-03-23 23:40:34 UTC
ia64 stable
Comment 7 Sergei Trofimovich gentoo-dev 2018-03-24 11:15:30 UTC
ppc/ppc64 stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-03-24 22:16:58 UTC
amd64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2018-03-25 22:45:24 UTC
x86 stable
Comment 10 Tobias Klausmann gentoo-dev 2018-03-31 10:12:54 UTC
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2018-04-08 10:46:31 UTC
arm stable
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-04-08 17:40:41 UTC
New GLSA Request filed.

@hppa please finish stabilization. 

Thank you
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 23:27:48 UTC
This issue was resolved and addressed in
 GLSA 201804-06 at https://security.gentoo.org/glsa/201804-06
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-08 23:28:18 UTC
re-opened for final arch and cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2018-04-09 18:42:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=651a166733627b5dd5145d4a788fc3645f2a371d

commit 651a166733627b5dd5145d4a788fc3645f2a371d
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-09 17:59:13 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-09 18:42:02 +0000

    mail-client/mailx: stable 8.1.2.20160123 for hppa/sparc
    
    Bug: https://bugs.gentoo.org/533208
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="hppa sparc"

 mail-client/mailx/mailx-8.1.2.20160123.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 16 Pacho Ramos gentoo-dev 2018-04-14 09:59:26 UTC
Some arches are still pending to stabilize
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-14 15:44:12 UTC
(In reply to Sergei Trofimovich from comment #7)
> ppc/ppc64 stable

Sergei, did you miss a push here?
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-05-26 12:49:42 UTC
ppc/ppc64 stable
Comment 19 Larry the Git Cow gentoo-dev 2018-05-26 14:09:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4958a02fad4303587c98a4025bf6c5c088e31226

commit 4958a02fad4303587c98a4025bf6c5c088e31226
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-05-26 14:08:58 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-26 14:08:58 +0000

    mail-client/mailx: drop vulnerable
    
    Bug: https://bugs.gentoo.org/533208
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 mail-client/mailx/Manifest                         |  2 -
 .../mailx/files/mailx-8.1.2.20050715-nostrip.patch | 22 -------
 mail-client/mailx/mailx-8.1.2.20050715-r6.ebuild   | 71 ----------------------
 3 files changed, 95 deletions(-)