Bug 1192237

Summary: procmail: unsafe handling of TZ environment variable
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, fche, jrusnack, jskarvad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-18 20:43:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1203601    
Bug Blocks: 1192238    

Description Kurt Seifried 2015-02-12 23:08:23 UTC 
It is reported that procmail has a similar flaw to sudo's CVE-2014-9680 in that procmail whitelists TZ values incorrectly.

External references:
http://openwall.com/lists/oss-security/2014/10/15/24
https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13
http://seclists.org/oss-sec/2015/q1/533
Comment 2 Ján Rusnačko 2015-03-19 08:55:22 UTC 
Created procmail tracking bugs for this issue:

Affects: fedora-all [bug 1203601]
Comment 4 Adam Mariš 2017-04-24 08:20:33 UTC 
CVE-2014-9681 has been rejected. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.