Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 700806 (CVE-2019-18862) - <net-mail/mailutils-3.8: maidag utility allows to write to arbitrary files (CVE-2019-18862)
Summary: <net-mail/mailutils-3.8: maidag utility allows to write to arbitrary files (C...
Status: RESOLVED FIXED
Alias: CVE-2019-18862
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mike-gualtieri.com/files/...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on: 704770
Blocks:
  Show dependency tree
 
Reported: 2019-11-20 19:19 UTC by Mike Gualtieri
Modified: 2020-06-13 01:52 UTC (History)
1 user (show)

See Also:
Package list:
net-mail/mailutils-3.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gualtieri 2019-11-20 19:19:55 UTC
The --url parameter included in the GNU Mailutils maidag utility (versions 2.0
through 3.7) can abused to write to arbitrary files on the host operating
system.  By default, maidag is set to execute with setuid root permissions,
which can lead to local privilege escalation through code/command execution by
writing to the system's crontab or by writing to other root owned files on the
operating system.  This issue has been fixed in mailutils 3.8.  A patch has also been offered for 3.7 (see URL submitted with this bug).  The flaw has been assigned CVE-2019-18862.

Reproducible: Always

Steps to Reproduce:
1. Install mailutils

Actual Results:  
The --url parameter of maidag can be used to write to arbitrary files due to the default setuid permissions.
Comment 1 Agostino Sarubbo gentoo-dev 2020-03-01 13:04:07 UTC
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-03-02 12:28:26 UTC
arm stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-03-02 12:32:11 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-02 12:39:43 UTC
ppc64 stable
Comment 5 Sergei Trofimovich gentoo-dev 2020-03-02 14:18:06 UTC
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-02 15:23:07 UTC
ppc stable
Comment 7 Mart Raudsepp gentoo-dev 2020-03-28 22:37:45 UTC
fwiw, some arm64 USE=kerberos builds are failing, but not all.

USE='berkdb -bidi clients emacs -gdbm -guile -ipv6 kerberos -kyotocabinet ldap mysql nls pam postgres -python -sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8
USE='-berkdb bidi clients -emacs -gdbm guile ipv6 kerberos -kyotocabinet ldap -mysql nls pam -postgres -python sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8

Before it was failing to link with heimdal as virtual/krb5 provider, but now I converted back to mit-krb5 and it seems to still fail, but don't have fresh logs handy.

Once I have cycles to spend further on this, this would be converted to a dependent bug report then. Maybe someone else wants to give those USE combinations a try meanwhile.
Comment 8 Sam James gentoo-dev Security 2020-05-12 21:49:49 UTC
arm64 stable.

@maintainer(s), please cleanup
Comment 9 Larry the Git Cow gentoo-dev 2020-05-13 06:51:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3af573c26166f7ea1a1e4aeec071866417a3d1a

commit e3af573c26166f7ea1a1e4aeec071866417a3d1a
Author:     Eray Aslan <eras@gentoo.org>
AuthorDate: 2020-05-13 06:50:22 +0000
Commit:     Eray Aslan <eras@gentoo.org>
CommitDate: 2020-05-13 06:51:07 +0000

    net-mail/mailutils: cleanup
    
    Bug: https://bugs.gentoo.org/700806
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Eray Aslan <eras@gentoo.org>

 net-mail/mailutils/Manifest                        |   2 -
 net-mail/mailutils/files/hdr.at                    |  36 ------
 .../files/mailutils-3.4-MH-testsuite.patch         |  70 -----------
 .../files/mailutils-3.4-fix-endianness.patch       | 122 ------------------
 .../mailutils/files/mailutils-3.4-fno-common.patch |  11 --
 net-mail/mailutils/files/nohdr.at                  |  26 ----
 net-mail/mailutils/files/twomsg.at                 |  73 -----------
 net-mail/mailutils/files/weed.at                   |  29 -----
 net-mail/mailutils/mailutils-3.4-r3.ebuild         | 140 ---------------------
 net-mail/mailutils/mailutils-3.7.ebuild            | 140 ---------------------
 10 files changed, 649 deletions(-)
Comment 10 Sam James gentoo-dev Security 2020-05-13 07:13:05 UTC
Thanks!
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-06-13 01:52:31 UTC
This issue was resolved and addressed in
 GLSA 202006-12 at https://security.gentoo.org/glsa/202006-12
by GLSA coordinator Aaron Bauman (b-man).