Bug 1162783 (CVE-2004-2771, CVE-2014-7844) - CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw
Summary: CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw
Status: CLOSED ERRATA
Alias: CVE-2004-2771, CVE-2014-7844
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Leos Pol
URL:
Whiteboard: impact=moderate,public=20141216,repor...
Keywords: Security
: 1165136 (view as bug list)
Depends On: 1171175 1171176 1171177 1171178 1174903 1174904 1175521
Blocks: 1158744 1165137
TreeView+ depends on / blocked
 
Reported: 2014-11-11 17:05 UTC by Francisco Alonso
Modified: 2019-06-08 20:15 UTC (History)
13 users (show)

(edit)
A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
Clone Of:
(edit)
Last Closed: 2014-12-16 21:09:29 UTC


Attachments (Terms of Use)
0001-outof-Introduce-expandaddr-flag.patch (1.67 KB, patch)
2014-11-17 12:21 UTC, Florian Weimer
no flags Details | Diff
0002-unpack-Disable-option-processing-for-email-addresses.patch (860 bytes, patch)
2014-11-17 12:21 UTC, Florian Weimer
no flags Details | Diff
0003-fio.c-Unconditionally-require-wordexp-support.patch (2.45 KB, patch)
2014-11-17 12:22 UTC, Florian Weimer
no flags Details | Diff
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch (652 bytes, patch)
2014-11-17 12:22 UTC, Florian Weimer
no flags Details | Diff
0005-add_to_namelist-Make-extern.patch (1.25 KB, patch)
2014-11-17 16:03 UTC, Florian Weimer
no flags Details | Diff
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch (4.25 KB, patch)
2014-11-17 16:05 UTC, Florian Weimer
no flags Details | Diff
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch (4.25 KB, patch)
2014-11-21 10:37 UTC, Florian Weimer
no flags Details | Diff
0002-unpack-Disable-option-processing-for-email-addresses.patch (2.15 KB, patch)
2014-12-05 15:22 UTC, Florian Weimer
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1999 normal SHIPPED_LIVE Moderate: mailx security update 2014-12-17 00:44:58 UTC

Description Francisco Alonso 2014-11-11 17:05:33 UTC
Florian Weimer from Red Hat has reported the below issue:

mailx executes shell commands embedded in syntactically valid mail addresses due a not quoted command to prevent word expansion.

fio.c
542 	}
543 	snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
544 	if ((shell = value("SHELL")) == NULL)
545 		shell = SHELL;


The original report in Debian bugtracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748

Comment 2 Florian Weimer 2014-11-17 12:21:28 UTC
Created attachment 958222 [details]
0001-outof-Introduce-expandaddr-flag.patch

Comment 3 Florian Weimer 2014-11-17 12:21:51 UTC
Created attachment 958223 [details]
0002-unpack-Disable-option-processing-for-email-addresses.patch

Comment 4 Florian Weimer 2014-11-17 12:22:24 UTC
Created attachment 958224 [details]
0003-fio.c-Unconditionally-require-wordexp-support.patch

Comment 5 Florian Weimer 2014-11-17 12:22:50 UTC
Created attachment 958225 [details]
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch

Comment 6 Florian Weimer 2014-11-17 12:25:10 UTC
These patches for Heirloom mailx address only part of the vulnerabilities.  mailx has to be invoked as “mail -- user@example.com“, otherwise command execution possibilities remain.  Further insights/discussion are need to see if we can make things secure without the “--” delimiter.

Comment 7 Florian Weimer 2014-11-17 16:03:33 UTC
Created attachment 958282 [details]
0005-add_to_namelist-Make-extern.patch

Comment 8 Florian Weimer 2014-11-17 16:05:47 UTC
Created attachment 958284 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch

This patch should address unintended entering of reading mode, and also blocks setting critical options using the -S flag.

Comment 9 Vasyl Kaigorodov 2014-11-21 10:06:38 UTC
*** Bug 1165136 has been marked as a duplicate of this bug. ***

Comment 10 Florian Weimer 2014-11-21 10:37:02 UTC
Created attachment 959650 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch

New version fixes typo in manual page.

Comment 13 Florian Weimer 2014-12-01 13:22:00 UTC
Comment on attachment 959650 [details]
0006-Add-unsafe-configuration-flag-and-disable-A-S-T-opti.patch

It was decided that callers must use “--” to avoid option processing, so this patch is no longer required (and neither is patch 5).

Comment 14 Florian Weimer 2014-12-05 15:22:13 UTC
Created attachment 965120 [details]
0002-unpack-Disable-option-processing-for-email-addresses.patch

This version fixes processing of the -r option.  sendmail options and email addresses are now clearly separated.

Comment 17 Vincent Danen 2014-12-16 17:31:53 UTC
Created mailx tracking bugs for this issue:

Affects: fedora-all [bug 1174903]

Comment 18 Vincent Danen 2014-12-16 17:31:56 UTC
Created bsd-mailx tracking bugs for this issue:

Affects: epel-6 [bug 1174904]

Comment 19 errata-xmlrpc 2014-12-16 19:45:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1999 https://rhn.redhat.com/errata/RHSA-2014-1999.html

Comment 20 cybernet 2014-12-16 22:06:58 UTC
i cannot believe that this took 10 years for a fix ...

Comment 21 Vincent Danen 2014-12-17 16:32:38 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 22 Murray McAllister 2014-12-17 23:00:51 UTC
Created nail tracking bugs for this issue:

Affects: epel-5 [bug 1175521]

Comment 23 Murray McAllister 2014-12-17 23:01:25 UTC
The nail package in EPEL 5 looks to also be affected.

Comment 24 Fedora Update System 2015-01-03 19:03:26 UTC
mailx-12.5-9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2015-01-03 19:09:41 UTC
mailx-12.5-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2015-01-03 19:11:18 UTC
mailx-12.5-11.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2015-01-24 18:42:49 UTC
nail-12.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2015-01-26 20:13:01 UTC
bsd-mailx-8.1.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.