1629975 – (CVE-2018-16744) CVE-2018-16744 mgetty: Command injection in faxrec.c

Bug 1629975 (CVE-2018-16744) - CVE-2018-16744 mgetty: Command injection in faxrec.c

Summary: CVE-2018-16744 mgetty: Command injection in faxrec.c

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-16744
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1629976 1631238
Blocks:	1629987
TreeView+	depends on / blocked

Reported:	2018-09-17 17:39 UTC by Pedro Sampaio
Modified:	2023-03-24 14:14 UTC (History)
CC List:	8 users (show)
Fixed In Version:	mgetty 1.2.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-25 22:17:41 UTC
Embargoed:

Attachments	(Terms of Use)
upstream patch (501 bytes, patch) 2018-09-20 09:29 UTC, Riccardo Schirone	no flags	Details \| Diff
View All

Description Pedro Sampaio 2018-09-17 17:39:45 UTC

An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used.

References:

https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty

Comment 1 Pedro Sampaio 2018-09-17 17:40:16 UTC

Created mgetty tracking bugs for this issue:

Affects: fedora-all [bug 1629976]

Comment 2 Riccardo Schirone 2018-09-20 09:19:30 UTC

Only root can write to /etc/mgetty+sendfax/mgetty.config and set the `notify` option which `mail_to` is set to when the program runs.

Comment 5 Riccardo Schirone 2018-09-20 09:29:50 UTC

Created attachment 1485085 [details]
upstream patch

This patch was extracted from mgetty-1.2.1

Comment 6 Riccardo Schirone 2018-09-20 09:32:42 UTC

This flaw is very unlikely to be exploited since it requires the root account to set a wrong `notify` option.

Comment 8 Riccardo Schirone 2018-09-20 09:37:42 UTC

Mitigation:

Make sure the `notify` option in /etc/mgetty+sendfax/mgetty.config does not contain characters that can be possibly interpreted by the shell and that the file is readable and writable only by root.

Comment 9 Fedora Update System 2019-02-27 01:15:28 UTC

mgetty-1.1.37-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2019-02-27 03:28:18 UTC

mgetty-1.1.37-11.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.