An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used. References: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty
Created mgetty tracking bugs for this issue: Affects: fedora-all [bug 1629976]
Only root can write to /etc/mgetty+sendfax/mgetty.config and set the `notify` option which `mail_to` is set to when the program runs.
Created attachment 1485085 [details] upstream patch This patch was extracted from mgetty-1.2.1
This flaw is very unlikely to be exploited since it requires the root account to set a wrong `notify` option.
Mitigation: Make sure the `notify` option in /etc/mgetty+sendfax/mgetty.config does not contain characters that can be possibly interpreted by the shell and that the file is readable and writable only by root.
mgetty-1.1.37-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
mgetty-1.1.37-11.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.