Bug 1162783 (CVE-2004-2771, CVE-2014-7844)
| Summary: | CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Francisco Alonso <falonso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | Leos Pol <lpol> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bressers, carnil, chazlett, cybernet2u, dmitry, fweimer, jchaloup, jrusnack, lpol, mmcallis, pschiffe, security-response-team, vkaigoro |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-16 21:09:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1171175, 1171176, 1171177, 1171178, 1174903, 1174904, 1175521 | ||
| Bug Blocks: | 1158744, 1165137 | ||
| Attachments: | |||
Created attachment 958222 [details]
0001-outof-Introduce-expandaddr-flag.patch
Created attachment 958223 [details]
0002-unpack-Disable-option-processing-for-email-addresses.patch
Created attachment 958224 [details]
0003-fio.c-Unconditionally-require-wordexp-support.patch
Created attachment 958225 [details]
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
These patches for Heirloom mailx address only part of the vulnerabilities. mailx has to be invoked as “mail -- user“, otherwise command execution possibilities remain. Further insights/discussion are need to see if we can make things secure without the “--” delimiter. Created attachment 958282 [details]
0005-add_to_namelist-Make-extern.patch
Created attachment 958284 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch
This patch should address unintended entering of reading mode, and also blocks setting critical options using the -S flag.
*** Bug 1165136 has been marked as a duplicate of this bug. *** Created attachment 959650 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch
New version fixes typo in manual page.
Comment on attachment 959650 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch
It was decided that callers must use “--” to avoid option processing, so this patch is no longer required (and neither is patch 5).
Created attachment 965120 [details]
0002-unpack-Disable-option-processing-for-email-addresses.patch
This version fixes processing of the -r option. sendmail options and email addresses are now clearly separated.
Created mailx tracking bugs for this issue: Affects: fedora-all [bug 1174903] Created bsd-mailx tracking bugs for this issue: Affects: epel-6 [bug 1174904] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1999 https://rhn.redhat.com/errata/RHSA-2014-1999.html i cannot believe that this took 10 years for a fix ... Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Created nail tracking bugs for this issue: Affects: epel-5 [bug 1175521] The nail package in EPEL 5 looks to also be affected. mailx-12.5-9.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. mailx-12.5-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. mailx-12.5-11.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. nail-12.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. bsd-mailx-8.1.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |
Florian Weimer from Red Hat has reported the below issue: mailx executes shell commands embedded in syntactically valid mail addresses due a not quoted command to prevent word expansion. fio.c 542 } 543 snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name); 544 if ((shell = value("SHELL")) == NULL) 545 shell = SHELL; The original report in Debian bugtracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748