The --url parameter included in the GNU Mailutils maidag utility (versions 2.0
through 3.7) can abused to write to arbitrary files on the host operating
system. By default, maidag is set to execute with setuid root permissions,
which can lead to local privilege escalation through code/command execution by
writing to the system's crontab or by writing to other root owned files on the
operating system. This issue has been fixed in mailutils 3.8. A patch has also been offered for 3.7 (see URL submitted with this bug). The flaw has been assigned CVE-2019-18862.
Steps to Reproduce:
1. Install mailutils
The --url parameter of maidag can be used to write to arbitrary files due to the default setuid permissions.
fwiw, some arm64 USE=kerberos builds are failing, but not all.
USE='berkdb -bidi clients emacs -gdbm -guile -ipv6 kerberos -kyotocabinet ldap mysql nls pam postgres -python -sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8
USE='-berkdb bidi clients -emacs -gdbm guile ipv6 kerberos -kyotocabinet ldap -mysql nls pam -postgres -python sasl servers -ssl -static-libs tcpd threads' failed for =net-mail/mailutils-3.8
Before it was failing to link with heimdal as virtual/krb5 provider, but now I converted back to mit-krb5 and it seems to still fail, but don't have fresh logs handy.
Once I have cycles to spend further on this, this would be converted to a dependent bug report then. Maybe someone else wants to give those USE combinations a try meanwhile.
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s):
Author: Eray Aslan <email@example.com>
AuthorDate: 2020-05-13 06:50:22 +0000
Commit: Eray Aslan <firstname.lastname@example.org>
CommitDate: 2020-05-13 06:51:07 +0000
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Eray Aslan <email@example.com>
net-mail/mailutils/Manifest | 2 -
net-mail/mailutils/files/hdr.at | 36 ------
.../files/mailutils-3.4-MH-testsuite.patch | 70 -----------
.../files/mailutils-3.4-fix-endianness.patch | 122 ------------------
.../mailutils/files/mailutils-3.4-fno-common.patch | 11 --
net-mail/mailutils/files/nohdr.at | 26 ----
net-mail/mailutils/files/twomsg.at | 73 -----------
net-mail/mailutils/files/weed.at | 29 -----
net-mail/mailutils/mailutils-3.4-r3.ebuild | 140 ---------------------
net-mail/mailutils/mailutils-3.7.ebuild | 140 ---------------------
10 files changed, 649 deletions(-)
This issue was resolved and addressed in
GLSA 202006-12 at https://security.gentoo.org/glsa/202006-12
by GLSA coordinator Aaron Bauman (b-man).