Bug 1629975 (CVE-2018-16744) - CVE-2018-16744 mgetty: Command injection in faxrec.c
Summary: CVE-2018-16744 mgetty: Command injection in faxrec.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16744
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1629976 1631238
Blocks: 1629987
TreeView+ depends on / blocked
 
Reported: 2018-09-17 17:39 UTC by Pedro Sampaio
Modified: 2023-03-24 14:14 UTC (History)
8 users (show)

Fixed In Version: mgetty 1.2.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 22:17:41 UTC
Embargoed:


Attachments (Terms of Use)
upstream patch (501 bytes, patch)
2018-09-20 09:29 UTC, Riccardo Schirone
no flags Details | Diff

Description Pedro Sampaio 2018-09-17 17:39:45 UTC
An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used.

References:

https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty

Comment 1 Pedro Sampaio 2018-09-17 17:40:16 UTC
Created mgetty tracking bugs for this issue:

Affects: fedora-all [bug 1629976]

Comment 2 Riccardo Schirone 2018-09-20 09:19:30 UTC
Only root can write to /etc/mgetty+sendfax/mgetty.config and set the `notify` option which `mail_to` is set to when the program runs.

Comment 5 Riccardo Schirone 2018-09-20 09:29:50 UTC
Created attachment 1485085 [details]
upstream patch

This patch was extracted from mgetty-1.2.1

Comment 6 Riccardo Schirone 2018-09-20 09:32:42 UTC
This flaw is very unlikely to be exploited since it requires the root account to set a wrong `notify` option.

Comment 8 Riccardo Schirone 2018-09-20 09:37:42 UTC
Mitigation:

Make sure the `notify` option in /etc/mgetty+sendfax/mgetty.config does not contain characters that can be possibly interpreted by the shell and that the file is readable and writable only by root.

Comment 9 Fedora Update System 2019-02-27 01:15:28 UTC
mgetty-1.1.37-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2019-02-27 03:28:18 UTC
mgetty-1.1.37-11.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.