Bug 919737 (CVE-2014-9681) - VUL-1: CVE-2014-9681 procmail: Unsafe handling of TZ environment variable
Summary: VUL-1: CVE-2014-9681 procmail: Unsafe handling of TZ environment variable
Status: RESOLVED INVALID
Alias: CVE-2014-9681
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/113848/
Whiteboard: CVSSv2:RedHat:CVE-2014-9681:4.4:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-26 15:08 UTC by Johannes Segitz
Modified: 2017-04-24 12:22 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2015-02-26 23:01:29 UTC 
bugbot adjusting priority
Comment 2 Dr. Werner Fink 2015-02-27 08:02:04 UTC 
Hmmm .... just tried to reproduce the example in

  http://openwall.com/lists/oss-security/2014/10/15/24

 werner/procmail> bash
 werner/procmail> echo harry > xyz
 werner/procmail> TZ=$PWD/xyz sudo -u root strace -s 256 date 2>&1 | grep harry
 werner/procmail> 

... what's going wrong here?
Comment 3 Dr. Werner Fink 2015-02-27 08:08:38 UTC 
Sidemark: the sudo has not been not fixed on the test systems!

And read https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778341
as well as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772706

IMHO this bug belongs if really is reproducable to glibc!
Comment 4 Dr. Werner Fink 2015-02-27 08:41:24 UTC 
The same for procmail

cat testmail | TZ=$PWD/xyz strace -o log -s 256 procmail ~/.procmail/test-procmailrc

and there is no xyz in the strace log
Comment 5 Dr. Werner Fink 2015-02-27 08:52:22 UTC 
Btw:

 date; TZ=$PWD/xyz date; TZ=$PWD/UTC date
 Fri Feb 27 09:48:37 CET 2015
 Fri Feb 27 08:48:37 /usr/src/werner/procmail/xyz 2015
 Fri Feb 27 08:48:37 /usr/src/werner/procmail/UTC 2015

that means the xyz will be interpreted, see without sudo

 TZ=$PWD/xyz strace date 2>&1 | grep harry
 read(3, "harry\n", 4096)                = 6

but as mentioned in the debian bugs, this belongs to glibc.
Comment 6 Dr. Werner Fink 2015-02-27 09:09:47 UTC 
Also the TZ variable will be passed-through, which is seen by using

 :0
 {
     LOG="XXX :$TZ
 "
 }

in my test-procmailrc

 cat testmail | TZ=$PWD/xyz procmail ~werner/.rocmail/test-procmailrc
 XXX :/tmp/xyz
 From werner@suse.com  Fri Feb 20 18:38:03 2015
  Subject: [changed] 313774 Display which programs are (partly) swapped
   Folder: /var/mail/werner                                                25749
Comment 7 Dr. Werner Fink 2015-02-27 09:56:30 UTC 
Btw: It is possible to set the line

      TZ=/tmp/xyz

or similar in ~/.procmailrc but procmail will be called as filter by the MTA like postfix and sendmail with the uid of the user (procmail is not suid!).  That is that even if the user account has been successfully attacked, the question rises how to get the TZ variable into the chain MTA->procmail->program in ~/.procmailrc and why this should be done as if the account has been successfully attacked there is no need to misuse procmail but execute every command with TZ=/tmp/xyz prefixed simply on the users comamnd line.

In other words, the TZ variable can only set by root before starting the MTA to influenve the behaviour of commands in the user ~/.procmailrc files.  The users them self can on set the TZ variable in their ~/.procmailrc files. But if a suid program is attackable via glibc then the users can also do this on the command line.

IMHO this bug is INVALID
Comment 8 Dr. Werner Fink 2015-03-10 17:47:18 UTC 
No response
Comment 9 Andreas Stieger 2017-04-24 12:22:46 UTC 
This candidate was withdrawn by its CNA.