Bug 1162783 (CVE-2004-2771, CVE-2014-7844)

Summary: CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw
Product: [Other] Security Response Reporter: Francisco Alonso <falonso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Leos Pol <lpol>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, carnil, chazlett, cybernet2u, dmitry, fweimer, jchaloup, jrusnack, lpol, mmcallis, pschiffe, security-response-team, vkaigoro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-16 21:09:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1171175, 1171176, 1171177, 1171178, 1174903, 1174904, 1175521    
Bug Blocks: 1158744, 1165137    
Attachments:
Description Flags
0001-outof-Introduce-expandaddr-flag.patch
none
0002-unpack-Disable-option-processing-for-email-addresses.patch
none
0003-fio.c-Unconditionally-require-wordexp-support.patch
none
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
none
0005-add_to_namelist-Make-extern.patch
none
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch
none
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch
none
0002-unpack-Disable-option-processing-for-email-addresses.patch none

Description Francisco Alonso 2014-11-11 17:05:33 UTC
Florian Weimer from Red Hat has reported the below issue:

mailx executes shell commands embedded in syntactically valid mail addresses due a not quoted command to prevent word expansion.

fio.c
542 	}
543 	snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
544 	if ((shell = value("SHELL")) == NULL)
545 		shell = SHELL;


The original report in Debian bugtracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748

Comment 2 Florian Weimer 2014-11-17 12:21:28 UTC
Created attachment 958222 [details]
0001-outof-Introduce-expandaddr-flag.patch

Comment 3 Florian Weimer 2014-11-17 12:21:51 UTC
Created attachment 958223 [details]
0002-unpack-Disable-option-processing-for-email-addresses.patch

Comment 4 Florian Weimer 2014-11-17 12:22:24 UTC
Created attachment 958224 [details]
0003-fio.c-Unconditionally-require-wordexp-support.patch

Comment 5 Florian Weimer 2014-11-17 12:22:50 UTC
Created attachment 958225 [details]
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch

Comment 6 Florian Weimer 2014-11-17 12:25:10 UTC
These patches for Heirloom mailx address only part of the vulnerabilities.  mailx has to be invoked as “mail -- user@example.com“, otherwise command execution possibilities remain.  Further insights/discussion are need to see if we can make things secure without the “--” delimiter.

Comment 7 Florian Weimer 2014-11-17 16:03:33 UTC
Created attachment 958282 [details]
0005-add_to_namelist-Make-extern.patch

Comment 8 Florian Weimer 2014-11-17 16:05:47 UTC
Created attachment 958284 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch

This patch should address unintended entering of reading mode, and also blocks setting critical options using the -S flag.

Comment 9 Vasyl Kaigorodov 2014-11-21 10:06:38 UTC
*** Bug 1165136 has been marked as a duplicate of this bug. ***

Comment 10 Florian Weimer 2014-11-21 10:37:02 UTC
Created attachment 959650 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch

New version fixes typo in manual page.

Comment 13 Florian Weimer 2014-12-01 13:22:00 UTC
Comment on attachment 959650 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch

It was decided that callers must use “--” to avoid option processing, so this patch is no longer required (and neither is patch 5).

Comment 14 Florian Weimer 2014-12-05 15:22:13 UTC
Created attachment 965120 [details]
0002-unpack-Disable-option-processing-for-email-addresses.patch

This version fixes processing of the -r option.  sendmail options and email addresses are now clearly separated.

Comment 17 Vincent Danen 2014-12-16 17:31:53 UTC
Created mailx tracking bugs for this issue:

Affects: fedora-all [bug 1174903]

Comment 18 Vincent Danen 2014-12-16 17:31:56 UTC
Created bsd-mailx tracking bugs for this issue:

Affects: epel-6 [bug 1174904]

Comment 19 errata-xmlrpc 2014-12-16 19:45:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1999 https://rhn.redhat.com/errata/RHSA-2014-1999.html

Comment 20 cybernet 2014-12-16 22:06:58 UTC
i cannot believe that this took 10 years for a fix ...

Comment 21 Vincent Danen 2014-12-17 16:32:38 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 22 Murray McAllister 2014-12-17 23:00:51 UTC
Created nail tracking bugs for this issue:

Affects: epel-5 [bug 1175521]

Comment 23 Murray McAllister 2014-12-17 23:01:25 UTC
The nail package in EPEL 5 looks to also be affected.

Comment 24 Fedora Update System 2015-01-03 19:03:26 UTC
mailx-12.5-9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2015-01-03 19:09:41 UTC
mailx-12.5-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2015-01-03 19:11:18 UTC
mailx-12.5-11.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2015-01-24 18:42:49 UTC
nail-12.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2015-01-26 20:13:01 UTC
bsd-mailx-8.1.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.