A heap-based buffer overflow was reported in procmail when parsing addresses with unbalanced quotes. More details available at: http://www.openwall.com/lists/oss-security/2014/09/03/8
Created procmail tracking bugs for this issue: Affects: fedora-all [bug 1137582]
This issue has been assigned CVE-2014-3618 via: http://www.openwall.com/lists/oss-security/2014/09/04/1
Note that Tavis initially filed bug 1121299 against rawhide for this, and the malformed mbox to reproduce it as attached as https://bugzilla.redhat.com/attachment.cgi?id=919216
IssueDescription: A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send an email with specially crafted headers that, when processed by formail, could cause procmail to crash or, possibly, execute arbitrary code as the user running formail.
We have encountered this issue with CentOS release 5.10 (Final) with the following rpm: procmail-3.22-17.1.el5.centos An unblanaced backtick (`) in an email address caused procmail to modify the /var/mail from a symlink into a directory. Is there a centos 5 patch?
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2014:1172 https://rhn.redhat.com/errata/RHSA-2014-1172.html
(In reply to Ken Kleiner from comment #7) > We have encountered this issue with CentOS release 5.10 (Final) with the > following rpm: procmail-3.22-17.1.el5.centos > > An unblanaced backtick (`) in an email address caused procmail to modify the > /var/mail from a symlink into a directory. > > Is there a centos 5 patch? Just got an email saying update for centos5 is being pushed to mirrors.
(In reply to Ken Kleiner from comment #9) > (In reply to Ken Kleiner from comment #7) > > We have encountered this issue with CentOS release 5.10 (Final) with the > > following rpm: procmail-3.22-17.1.el5.centos > > > > An unblanaced backtick (`) in an email address caused procmail to modify the > > /var/mail from a symlink into a directory. > > > > Is there a centos 5 patch? > > Just got an email saying update for centos5 is being pushed to mirrors. Could you test and tell us, if those updates really work with the issue you described above?
(In reply to Huzaifa S. Sidhpurwala from comment #10) > (In reply to Ken Kleiner from comment #9) > > (In reply to Ken Kleiner from comment #7) > > > We have encountered this issue with CentOS release 5.10 (Final) with the > > > following rpm: procmail-3.22-17.1.el5.centos > > > > > > An unblanaced backtick (`) in an email address caused procmail to modify the > > > /var/mail from a symlink into a directory. > > > > > > Is there a centos 5 patch? > > > > Just got an email saying update for centos5 is being pushed to mirrors. > > Could you test and tell us, if those updates really work with the issue you > described above? Updating to procmail-3.22-17.1.2.el5_10 did NOT fix this. With a valid username of `username accessible to sendmail, this bug still occurs, moving the existing /var/mail entity to /var/BOGUS...xxx and creating a new /var/mail directory. If I put the '`' character elsewhere in the username, this doesn't happen.
procmail-3.22-36.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Ken Kleiner from comment #11) > Updating to procmail-3.22-17.1.2.el5_10 did NOT fix this. With a valid > username of `username accessible to sendmail, this bug still occurs, moving > the existing /var/mail entity to /var/BOGUS...xxx and creating a new > /var/mail directory. > > If I put the '`' character elsewhere in the username, this doesn't happen. I think this is related to your configuration, could you enclose your procmailrc file?
(In reply to Huzaifa S. Sidhpurwala from comment #13) > > If I put the '`' character elsewhere in the username, this doesn't happen. > > I think this is related to your configuration, could you enclose your > procmailrc file? Ken, I am going to close this security flaw, if you still see anything peculiar feel free to open another bug.
procmail-3.22-36.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
procmail-3.22-36.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1165717 has been marked as a duplicate of this bug. ***