Bug 1629975 – CVE-2018-16744 mgetty: Command injection in faxrec.c

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1629975 - (CVE-2018-16744) CVE-2018-16744 mgetty: Command injection in faxrec.c

Summary:	CVE-2018-16744 mgetty: Command injection in faxrec.c

Status:	NEW

Aliases:	CVE-2018-16744

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180913,reported=2...
Keywords:	Security

Depends On:	1629976 1631238
Blocks:	1629987
	Show dependency tree / graph

Reported:	2018-09-17 13:39 EDT by Pedro Sampaio
Modified:	2018-09-20 19:37 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	mgetty 1.2.1
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
upstream patch (501 bytes, patch) 2018-09-20 05:29 EDT, Riccardo Schirone	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-09-17 13:39:45 EDT

An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used.

References:

https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty

Comment 1 Pedro Sampaio 2018-09-17 13:40:16 EDT

Created mgetty tracking bugs for this issue:

Affects: fedora-all [bug 1629976]

Comment 2 Riccardo Schirone 2018-09-20 05:19:30 EDT

Only root can write to /etc/mgetty+sendfax/mgetty.config and set the `notify` option which `mail_to` is set to when the program runs.

Comment 5 Riccardo Schirone 2018-09-20 05:29 EDT

Created attachment 1485085 [details]
upstream patch

This patch was extracted from mgetty-1.2.1

Comment 6 Riccardo Schirone 2018-09-20 05:32:42 EDT

This flaw is very unlikely to be exploited since it requires the root account to set a wrong `notify` option.

Comment 8 Riccardo Schirone 2018-09-20 05:37:42 EDT

Mitigation:

Make sure the `notify` option in /etc/mgetty+sendfax/mgetty.config does not contain characters that can be possibly interpreted by the shell and that the file is readable and writable only by root.

Note You need to log in before you can comment on or make changes to this bug.