pool/mailx
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/server:mail/mailx?expand=0&rev=41
This commit is contained in:
Dr. Werner Fink 2014-12-17 12:34:52 +00:00 committed by Git OBS Bridge
parent 2404f881a7
commit 93b21c13c9
8 changed files with 296 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
0001-outof-Introduce-expandaddr-flag.patch Normal file
View File

@ -0,0 +1,64 @@
From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 17 Nov 2014 11:13:38 +0100
Subject: [PATCH 1/4] outof: Introduce expandaddr flag
Document that address expansion is disabled unless the expandaddr
binary option is set.
This has been assigned CVE-2014-7844 for BSD mailx, but it is not
a vulnerability in Heirloom mailx because this feature was documented.
---
mailx.1 | 14 ++++++++++++++
names.c | 3 +++
2 files changed, 17 insertions(+)
diff --git a/mailx.1 b/mailx.1
index 70a7859..22a171b 100644
--- a/mailx.1
+++ b/mailx.1
@@ -656,6 +656,14 @@ but any reply returned to the machine
will have the system wide alias expanded
as all mail goes through sendmail.
.SS "Recipient address specifications"
+If the
+.I expandaddr
+option is not set (the default), recipient addresses must be names of
+local mailboxes or Internet mail addresses.
+.PP
+If the
+.I expandaddr
+option is set, the following rules apply:
When an address is used to name a recipient
(in any of To, Cc, or Bcc),
names of local mail folders
@@ -2391,6 +2399,12 @@ and exits immediately.
If this option is set,
\fImailx\fR starts even with an empty mailbox.
.TP
+.B expandaddr
+Causes
+.I mailx
+to expand message recipient addresses, as explained in the section,
+Recipient address specifications.
+.TP
.B flipr
Exchanges the
.I Respond
diff --git a/names.c b/names.c
index 66e976b..c69560f 100644
--- a/names.c
+++ b/names.c
@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp)
FILE *fout, *fin;
int ispipe;
+ if (value("expandaddr") == NULL)
+ return names;
+
top = names;
np = names;
time(&now);
--
1.9.3

74
0002-unpack-Disable-option-processing-for-email-addresses.patch Normal file
View File

@ -0,0 +1,74 @@
From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 17 Nov 2014 11:14:06 +0100
Subject: [PATCH 2/4] unpack: Disable option processing for email addresses
when calling sendmail
---
extern.h | 2 +-
names.c | 8 ++++++--
sendout.c | 2 +-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/extern.h b/extern.h
index 6b85ba0..8873fe8 100644
--- a/extern.h
+++ b/extern.h
@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp);
int is_fileaddr(char *name);
struct name *usermap(struct name *names);
struct name *cat(struct name *n1, struct name *n2);
-char **unpack(struct name *np);
+char **unpack(struct name *smopts, struct name *np);
struct name *elide(struct name *names);
int count(struct name *np);
struct name *delete_alternates(struct name *np);
diff --git a/names.c b/names.c
index c69560f..45bbaed 100644
--- a/names.c
+++ b/names.c
@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2)
* Return an error if the name list won't fit.
*/
char **
-unpack(struct name *np)
+unpack(struct name *smopts, struct name *np)
{
char **ap, **top;
struct name *n;
@@ -564,7 +564,7 @@ unpack(struct name *np)
* the terminating 0 pointer. Additional spots may be needed
* to pass along -f to the host mailer.
*/
- extra = 2;
+ extra = 3 + count(smopts);
extra++;
metoo = value("metoo") != NULL;
if (metoo)
@@ -581,6 +581,10 @@ unpack(struct name *np)
*ap++ = "-m";
if (verbose)
*ap++ = "-v";
+ for (; smopts != NULL; smopts = smopts->n_flink)
+ if ((smopts->n_type & GDEL) == 0)
+ *ap++ = smopts->n_name;
+ *ap++ = "--";
for (; n != NULL; n = n->n_flink)
if ((n->n_type & GDEL) == 0)
*ap++ = n->n_name;
diff --git a/sendout.c b/sendout.c
index 7b7f2eb..c52f15d 100644
--- a/sendout.c
+++ b/sendout.c
@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input,
#endif /* HAVE_SOCKETS */
if ((smtp = value("smtp")) == NULL) {
- args = unpack(cat(mailargs, to));
+ args = unpack(mailargs, to);
if (debug || value("debug")) {
printf(catgets(catd, CATSET, 181,
"Sendmail arguments:"));
--
1.9.3

105
0003-fio.c-Unconditionally-require-wordexp-support.patch Normal file
View File

@ -0,0 +1,105 @@
From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 17 Nov 2014 12:48:25 +0100
Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support
---
fio.c | 67 +++++--------------------------------------------------------------
1 file changed, 5 insertions(+), 62 deletions(-)
diff --git a/fio.c b/fio.c
index 65e8f10..1529236 100644
--- a/fio.c
+++ b/fio.c
@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c 2.76 (
#endif /* not lint */
#include "rcv.h"
+
+#ifndef HAVE_WORDEXP
+#error wordexp support is required
+#endif
+
#include <sys/stat.h>
#include <sys/file.h>
#include <sys/wait.h>
-#ifdef HAVE_WORDEXP
#include <wordexp.h>
-#endif /* HAVE_WORDEXP */
#include <unistd.h>
#if defined (USE_NSS)
@@ -481,7 +484,6 @@ next:
static char *
globname(char *name)
{
-#ifdef HAVE_WORDEXP
wordexp_t we;
char *cp;
sigset_t nset;
@@ -527,65 +529,6 @@ globname(char *name)
}
wordfree(&we);
return cp;
-#else /* !HAVE_WORDEXP */
- char xname[PATHSIZE];
- char cmdbuf[PATHSIZE]; /* also used for file names */
- int pid, l;
- char *cp, *shell;
- int pivec[2];
- extern int wait_status;
- struct stat sbuf;
-
- if (pipe(pivec) < 0) {
- perror("pipe");
- return name;
- }
- snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
- if ((shell = value("SHELL")) == NULL)
- shell = SHELL;
- pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
- if (pid < 0) {
- close(pivec[0]);
- close(pivec[1]);
- return NULL;
- }
- close(pivec[1]);
-again:
- l = read(pivec[0], xname, sizeof xname);
- if (l < 0) {
- if (errno == EINTR)
- goto again;
- perror("read");
- close(pivec[0]);
- return NULL;
- }
- close(pivec[0]);
- if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) {
- fprintf(stderr, catgets(catd, CATSET, 81,
- "\"%s\": Expansion failed.\n"), name);
- return NULL;
- }
- if (l == 0) {
- fprintf(stderr, catgets(catd, CATSET, 82,
- "\"%s\": No match.\n"), name);
- return NULL;
- }
- if (l == sizeof xname) {
- fprintf(stderr, catgets(catd, CATSET, 83,
- "\"%s\": Expansion buffer overflow.\n"), name);
- return NULL;
- }
- xname[l] = 0;
- for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
- ;
- cp[1] = '\0';
- if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
- fprintf(stderr, catgets(catd, CATSET, 84,
- "\"%s\": Ambiguous.\n"), name);
- return NULL;
- }
- return savestr(xname);
-#endif /* !HAVE_WORDEXP */
}
/*

25
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch Normal file
View File

@ -0,0 +1,25 @@
From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 17 Nov 2014 13:11:32 +0100
Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
---
fio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fio.c b/fio.c
index 1529236..774a204 100644
--- a/fio.c
+++ b/fio.c
@@ -497,7 +497,7 @@ globname(char *name)
sigemptyset(&nset);
sigaddset(&nset, SIGCHLD);
sigprocmask(SIG_BLOCK, &nset, NULL);
- i = wordexp(name, &we, 0);
+ i = wordexp(name, &we, WRDE_NOCMD);
sigprocmask(SIG_UNBLOCK, &nset, NULL);
switch (i) {
case 0:
--
1.9.3

6
mailx-12.5.dif
View File

@ -116,15 +116,15 @@
#include "extern.h"
#include <sys/stat.h>
--- fio.c
+++ fio.c 2006-07-20 11:42:19.000000000 +0000
+++ fio.c 2014-12-11 09:34:19.233519754 +0000
@@ -42,6 +42,7 @@ static char sccsid[] = "@(#)fio.c 2.76 (
#endif
#endif /* not lint */
+#include "config.h"
#include "rcv.h"
#include <sys/stat.h>
#include <sys/file.h>
#ifndef HAVE_WORDEXP
--- getname.c
+++ getname.c 2006-07-20 11:42:19.000000000 +0000
@@ -42,6 +42,7 @@ static char sccsid[] = "@(#)getname.c 2.

13
mailx.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Dec 11 11:46:53 UTC 2014 - werner@suse.de
- Add patches
0001-outof-Introduce-expandaddr-flag.patch
0002-unpack-Disable-option-processing-for-email-addresses.patch
0003-fio.c-Unconditionally-require-wordexp-support.patch
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
to fix bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell
command injection via crafted email addresses
-------------------------------------------------------------------
Sat Apr 19 19:57:00 UTC 2014 - crrodriguez@opensuse.org
@ -8,7 +19,7 @@ Sat Apr 19 19:57:00 UTC 2014 - crrodriguez@opensuse.org
-------------------------------------------------------------------
Fri Dec 6 12:48:27 UTC 2013 - werner@suse.de
- Correct commnet in spec file
- Correct comment in spec file
-------------------------------------------------------------------
Wed Dec 4 08:54:21 UTC 2013 - werner@suse.de

14
mailx.spec
View File

@ -43,6 +43,14 @@ Patch6: mailx-fix-openssl.patch
Patch7: mailx-12.5-parentheses.dif
#PATCH-FIX-SUSE: Fix IPv6 address handling
Patch8: mailx-12.5-ipv6.dif
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
Patch9: 0001-outof-Introduce-expandaddr-flag.patch
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
Patch10: 0002-unpack-Disable-option-processing-for-email-addresses.patch
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
Patch11: 0003-fio.c-Unconditionally-require-wordexp-support.patch
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
Patch12: 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -62,7 +70,11 @@ minor enhancements like the ability to set a "From:" address.
%patch6 -p0 -b .ssl
%patch7 -p0 -b .par
%patch8 -p0 -b .ipv6
%patch -p0 -b .0
%patch9 -p1 -b .0001
%patch10 -p1 -b .0002
%patch11 -p1 -b .0003
%patch12 -p1 -b .0004
%patch -p0 -b .0
%build
CC=gcc

11
nail-11.25-path.dif
View File

@ -196,17 +196,6 @@
sigemptyset(&set);
if (run_command(edit, oldint != SIG_IGN ? &set : NULL, -1, -1,
tempEdit, NULL, NULL) < 0) {
--- fio.c
+++ fio.c 2005-10-14 13:44:09.000000000 +0000
@@ -542,7 +542,7 @@ globname(char *name)
}
snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
if ((shell = value("SHELL")) == NULL)
- shell = SHELL;
+ shell = PATH_CSHELL;
pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
if (pid < 0) {
close(pivec[0]);
--- main.c
+++ main.c 2005-10-14 13:44:09.000000000 +0000
@@ -403,7 +403,7 @@ usage: