1137581 – (CVE-2014-3618) CVE-2014-3618 procmail: Heap-overflow in procmail's formail utility when processing specially-crafted email headers

Bug 1137581 (CVE-2014-3618) - CVE-2014-3618 procmail: Heap-overflow in procmail's formail utility when processing specially-crafted email headers

Summary: CVE-2014-3618 procmail: Heap-overflow in procmail's formail utility when proc...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-3618
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1165717 (view as bug list)
Depends On:	1137582 1138235 1138237 1138238 1138239 1138304 1138305
Blocks:	1137583 1165720
TreeView+	depends on / blocked

Reported:	2014-09-04 03:24 UTC by Huzaifa S. Sidhpurwala
Modified:	2019-09-29 13:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send an email with specially crafted headers that, when processed by formail, could cause procmail to crash or, possibly, execute arbitrary code as the user running formail.
Clone Of:
Environment:
Last Closed:	2014-09-22 03:47:51 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1172	0	normal	SHIPPED_LIVE	Important: procmail security update	2014-09-10 17:16:04 UTC

Description Huzaifa S. Sidhpurwala 2014-09-04 03:24:35 UTC

A heap-based buffer overflow was reported in procmail when parsing addresses with unbalanced quotes.

More details available at:

http://www.openwall.com/lists/oss-security/2014/09/03/8

Comment 1 Huzaifa S. Sidhpurwala 2014-09-04 03:25:11 UTC

Created procmail tracking bugs for this issue:

Affects: fedora-all [bug 1137582]

Comment 2 Huzaifa S. Sidhpurwala 2014-09-04 03:36:47 UTC

This issue has been assigned CVE-2014-3618 via:

http://www.openwall.com/lists/oss-security/2014/09/04/1

Comment 5 Vincent Danen 2014-09-04 13:25:35 UTC

Note that Tavis initially filed bug 1121299 against rawhide for this, and the malformed mbox to reproduce it as attached as https://bugzilla.redhat.com/attachment.cgi?id=919216

Comment 6 Martin Prpič 2014-09-09 07:39:05 UTC

IssueDescription:

A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send an email with specially crafted headers that, when processed by formail, could cause procmail to crash or, possibly, execute arbitrary code as the user running formail.

Comment 7 Ken Kleiner 2014-09-10 13:16:26 UTC

We have encountered this issue with CentOS release 5.10 (Final) with the following rpm:  procmail-3.22-17.1.el5.centos

An unblanaced backtick (`) in an email address caused procmail to modify the /var/mail from a symlink into a directory.  

Is there a centos 5 patch?

Comment 8 errata-xmlrpc 2014-09-10 13:16:27 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5

Via RHSA-2014:1172 https://rhn.redhat.com/errata/RHSA-2014-1172.html

Comment 9 Ken Kleiner 2014-09-10 13:57:47 UTC

(In reply to Ken Kleiner from comment #7)
> We have encountered this issue with CentOS release 5.10 (Final) with the
> following rpm:  procmail-3.22-17.1.el5.centos
> 
> An unblanaced backtick (`) in an email address caused procmail to modify the
> /var/mail from a symlink into a directory.  
> 
> Is there a centos 5 patch?

Just got an email saying update for centos5 is being pushed to mirrors.

Comment 10 Huzaifa S. Sidhpurwala 2014-09-11 06:36:13 UTC

(In reply to Ken Kleiner from comment #9)
> (In reply to Ken Kleiner from comment #7)
> > We have encountered this issue with CentOS release 5.10 (Final) with the
> > following rpm:  procmail-3.22-17.1.el5.centos
> > 
> > An unblanaced backtick (`) in an email address caused procmail to modify the
> > /var/mail from a symlink into a directory.  
> > 
> > Is there a centos 5 patch?
> 
> Just got an email saying update for centos5 is being pushed to mirrors.

Could you test and tell us, if those updates really work with the issue you described above?

Comment 11 Ken Kleiner 2014-09-11 13:40:17 UTC

(In reply to Huzaifa S. Sidhpurwala from comment #10)
> (In reply to Ken Kleiner from comment #9)
> > (In reply to Ken Kleiner from comment #7)
> > > We have encountered this issue with CentOS release 5.10 (Final) with the
> > > following rpm:  procmail-3.22-17.1.el5.centos
> > > 
> > > An unblanaced backtick (`) in an email address caused procmail to modify the
> > > /var/mail from a symlink into a directory.  
> > > 
> > > Is there a centos 5 patch?
> > 
> > Just got an email saying update for centos5 is being pushed to mirrors.
> 
> Could you test and tell us, if those updates really work with the issue you
> described above?

Updating to procmail-3.22-17.1.2.el5_10 did NOT fix this.  With a valid username of `username accessible to sendmail, this bug still occurs, moving the existing /var/mail entity to /var/BOGUS...xxx and creating a new /var/mail directory.

If I put the '`' character elsewhere in the username, this doesn't happen.

Comment 12 Fedora Update System 2014-09-13 06:51:27 UTC

procmail-3.22-36.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Huzaifa S. Sidhpurwala 2014-09-18 03:22:11 UTC

(In reply to Ken Kleiner from comment #11)

> Updating to procmail-3.22-17.1.2.el5_10 did NOT fix this.  With a valid
> username of `username accessible to sendmail, this bug still occurs, moving
> the existing /var/mail entity to /var/BOGUS...xxx and creating a new
> /var/mail directory.
> 
> If I put the '`' character elsewhere in the username, this doesn't happen.

I think this is related to your configuration, could you enclose your procmailrc file?

Comment 14 Huzaifa S. Sidhpurwala 2014-09-22 03:47:51 UTC

(In reply to Huzaifa S. Sidhpurwala from comment #13)

> > If I put the '`' character elsewhere in the username, this doesn't happen.
> 
> I think this is related to your configuration, could you enclose your
> procmailrc file?

Ken,

I am going to close this security flaw, if you still see anything peculiar feel free to open another bug.

Comment 15 Fedora Update System 2014-09-23 04:44:54 UTC

procmail-3.22-36.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-09-25 10:42:21 UTC

procmail-3.22-36.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Vasyl Kaigorodov 2014-11-25 15:06:58 UTC

*** Bug 1165717 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.