|Summary:||CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw|
|Product:||[Other] Security Response||Reporter:||Francisco Alonso <falonso>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:||Leos Pol <lpol>|
|Version:||unspecified||CC:||bressers, carnil, chazlett, cybernet2u, dmitry, fweimer, jchaloup, jrusnack, lpol, mmcallis, pschiffe, security-response-team, vkaigoro|
|Fixed In Version:||Doc Type:||Bug Fix|
A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
|Last Closed:||2014-12-16 21:09:29 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1171175, 1171176, 1171177, 1171178, 1174903, 1174904, 1175521|
|Bug Blocks:||1158744, 1165137|
Description Francisco Alonso 2014-11-11 17:05:33 UTC
Florian Weimer from Red Hat has reported the below issue: mailx executes shell commands embedded in syntactically valid mail addresses due a not quoted command to prevent word expansion. fio.c 542 } 543 snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name); 544 if ((shell = value("SHELL")) == NULL) 545 shell = SHELL; The original report in Debian bugtracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748
Comment 2 Florian Weimer 2014-11-17 12:21:28 UTC
Created attachment 958222 [details] 0001-outof-Introduce-expandaddr-flag.patch
Comment 3 Florian Weimer 2014-11-17 12:21:51 UTC
Created attachment 958223 [details] 0002-unpack-Disable-option-processing-for-email-addresses.patch
Comment 4 Florian Weimer 2014-11-17 12:22:24 UTC
Created attachment 958224 [details] 0003-fio.c-Unconditionally-require-wordexp-support.patch
Comment 5 Florian Weimer 2014-11-17 12:22:50 UTC
Created attachment 958225 [details] 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
Comment 6 Florian Weimer 2014-11-17 12:25:10 UTC
These patches for Heirloom mailx address only part of the vulnerabilities. mailx has to be invoked as “mail -- firstname.lastname@example.org“, otherwise command execution possibilities remain. Further insights/discussion are need to see if we can make things secure without the “--” delimiter.
Comment 7 Florian Weimer 2014-11-17 16:03:33 UTC
Created attachment 958282 [details] 0005-add_to_namelist-Make-extern.patch
Comment 8 Florian Weimer 2014-11-17 16:05:47 UTC
Created attachment 958284 [details] 0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch This patch should address unintended entering of reading mode, and also blocks setting critical options using the -S flag.
Comment 9 Vasyl Kaigorodov 2014-11-21 10:06:38 UTC
*** Bug 1165136 has been marked as a duplicate of this bug. ***
Comment 10 Florian Weimer 2014-11-21 10:37:02 UTC
Created attachment 959650 [details] 0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch New version fixes typo in manual page.
Comment 13 Florian Weimer 2014-12-01 13:22:00 UTC
Comment on attachment 959650 [details] 0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch It was decided that callers must use “--” to avoid option processing, so this patch is no longer required (and neither is patch 5).
Comment 14 Florian Weimer 2014-12-05 15:22:13 UTC
Created attachment 965120 [details] 0002-unpack-Disable-option-processing-for-email-addresses.patch This version fixes processing of the -r option. sendmail options and email addresses are now clearly separated.
Comment 17 Vincent Danen 2014-12-16 17:31:53 UTC
Created mailx tracking bugs for this issue: Affects: fedora-all [bug 1174903]
Comment 18 Vincent Danen 2014-12-16 17:31:56 UTC
Created bsd-mailx tracking bugs for this issue: Affects: epel-6 [bug 1174904]
Comment 19 errata-xmlrpc 2014-12-16 19:45:24 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1999 https://rhn.redhat.com/errata/RHSA-2014-1999.html
Comment 20 cybernet 2014-12-16 22:06:58 UTC
i cannot believe that this took 10 years for a fix ...
Comment 21 Vincent Danen 2014-12-17 16:32:38 UTC
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 22 Murray McAllister 2014-12-17 23:00:51 UTC
Created nail tracking bugs for this issue: Affects: epel-5 [bug 1175521]
Comment 23 Murray McAllister 2014-12-17 23:01:25 UTC
The nail package in EPEL 5 looks to also be affected.
Comment 24 Fedora Update System 2015-01-03 19:03:26 UTC
mailx-12.5-9.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2015-01-03 19:09:41 UTC
mailx-12.5-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2015-01-03 19:11:18 UTC
mailx-12.5-11.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2015-01-24 18:42:49 UTC
nail-12.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2015-01-26 20:13:01 UTC
bsd-mailx-8.1.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.