A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
Florian Weimer from Red Hat has reported the below issue:
mailx executes shell commands embedded in syntactically valid mail addresses due a not quoted command to prevent word expansion.
543 snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
544 if ((shell = value("SHELL")) == NULL)
545 shell = SHELL;
The original report in Debian bugtracker:
Created attachment 958222 [details]
Created attachment 958223 [details]
Created attachment 958224 [details]
Created attachment 958225 [details]
These patches for Heirloom mailx address only part of the vulnerabilities. mailx has to be invoked as “mail -- email@example.com“, otherwise command execution possibilities remain. Further insights/discussion are need to see if we can make things secure without the “--” delimiter.
Created attachment 958282 [details]
Created attachment 958284 [details]
This patch should address unintended entering of reading mode, and also blocks setting critical options using the -S flag.
*** Bug 1165136 has been marked as a duplicate of this bug. ***
Created attachment 959650 [details]
New version fixes typo in manual page.
Comment on attachment 959650 [details]
It was decided that callers must use “--” to avoid option processing, so this patch is no longer required (and neither is patch 5).
Created attachment 965120 [details]
This version fixes processing of the -r option. sendmail options and email addresses are now clearly separated.
Created mailx tracking bugs for this issue:
Affects: fedora-all [bug 1174903]
Created bsd-mailx tracking bugs for this issue:
Affects: epel-6 [bug 1174904]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
Via RHSA-2014:1999 https://rhn.redhat.com/errata/RHSA-2014-1999.html
i cannot believe that this took 10 years for a fix ...
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Created nail tracking bugs for this issue:
Affects: epel-5 [bug 1175521]
The nail package in EPEL 5 looks to also be affected.
mailx-12.5-9.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mailx-12.5-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mailx-12.5-11.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
nail-12.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
bsd-mailx-8.1.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.