diff --git a/0001-outof-Introduce-expandaddr-flag.patch b/0001-outof-Introduce-expandaddr-flag.patch new file mode 100644 index 0000000..33551ca --- /dev/null +++ b/0001-outof-Introduce-expandaddr-flag.patch @@ -0,0 +1,64 @@ +From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 11:13:38 +0100 +Subject: [PATCH 1/4] outof: Introduce expandaddr flag + +Document that address expansion is disabled unless the expandaddr +binary option is set. + +This has been assigned CVE-2014-7844 for BSD mailx, but it is not +a vulnerability in Heirloom mailx because this feature was documented. +--- + mailx.1 | 14 ++++++++++++++ + names.c | 3 +++ + 2 files changed, 17 insertions(+) + +diff --git a/mailx.1 b/mailx.1 +index 70a7859..22a171b 100644 +--- a/mailx.1 ++++ b/mailx.1 +@@ -656,6 +656,14 @@ but any reply returned to the machine + will have the system wide alias expanded + as all mail goes through sendmail. + .SS "Recipient address specifications" ++If the ++.I expandaddr ++option is not set (the default), recipient addresses must be names of ++local mailboxes or Internet mail addresses. ++.PP ++If the ++.I expandaddr ++option is set, the following rules apply: + When an address is used to name a recipient + (in any of To, Cc, or Bcc), + names of local mail folders +@@ -2391,6 +2399,12 @@ and exits immediately. + If this option is set, + \fImailx\fR starts even with an empty mailbox. + .TP ++.B expandaddr ++Causes ++.I mailx ++to expand message recipient addresses, as explained in the section, ++Recipient address specifications. ++.TP + .B flipr + Exchanges the + .I Respond +diff --git a/names.c b/names.c +index 66e976b..c69560f 100644 +--- a/names.c ++++ b/names.c +@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp) + FILE *fout, *fin; + int ispipe; + ++ if (value("expandaddr") == NULL) ++ return names; ++ + top = names; + np = names; + time(&now); +-- +1.9.3 + diff --git a/0002-unpack-Disable-option-processing-for-email-addresses.patch b/0002-unpack-Disable-option-processing-for-email-addresses.patch new file mode 100644 index 0000000..ffaa795 --- /dev/null +++ b/0002-unpack-Disable-option-processing-for-email-addresses.patch @@ -0,0 +1,74 @@ +From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 11:14:06 +0100 +Subject: [PATCH 2/4] unpack: Disable option processing for email addresses + when calling sendmail + +--- + extern.h | 2 +- + names.c | 8 ++++++-- + sendout.c | 2 +- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/extern.h b/extern.h +index 6b85ba0..8873fe8 100644 +--- a/extern.h ++++ b/extern.h +@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp); + int is_fileaddr(char *name); + struct name *usermap(struct name *names); + struct name *cat(struct name *n1, struct name *n2); +-char **unpack(struct name *np); ++char **unpack(struct name *smopts, struct name *np); + struct name *elide(struct name *names); + int count(struct name *np); + struct name *delete_alternates(struct name *np); +diff --git a/names.c b/names.c +index c69560f..45bbaed 100644 +--- a/names.c ++++ b/names.c +@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2) + * Return an error if the name list won't fit. + */ + char ** +-unpack(struct name *np) ++unpack(struct name *smopts, struct name *np) + { + char **ap, **top; + struct name *n; +@@ -564,7 +564,7 @@ unpack(struct name *np) + * the terminating 0 pointer. Additional spots may be needed + * to pass along -f to the host mailer. + */ +- extra = 2; ++ extra = 3 + count(smopts); + extra++; + metoo = value("metoo") != NULL; + if (metoo) +@@ -581,6 +581,10 @@ unpack(struct name *np) + *ap++ = "-m"; + if (verbose) + *ap++ = "-v"; ++ for (; smopts != NULL; smopts = smopts->n_flink) ++ if ((smopts->n_type & GDEL) == 0) ++ *ap++ = smopts->n_name; ++ *ap++ = "--"; + for (; n != NULL; n = n->n_flink) + if ((n->n_type & GDEL) == 0) + *ap++ = n->n_name; +diff --git a/sendout.c b/sendout.c +index 7b7f2eb..c52f15d 100644 +--- a/sendout.c ++++ b/sendout.c +@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input, + #endif /* HAVE_SOCKETS */ + + if ((smtp = value("smtp")) == NULL) { +- args = unpack(cat(mailargs, to)); ++ args = unpack(mailargs, to); + if (debug || value("debug")) { + printf(catgets(catd, CATSET, 181, + "Sendmail arguments:")); +-- +1.9.3 + diff --git a/0003-fio.c-Unconditionally-require-wordexp-support.patch b/0003-fio.c-Unconditionally-require-wordexp-support.patch new file mode 100644 index 0000000..597712a --- /dev/null +++ b/0003-fio.c-Unconditionally-require-wordexp-support.patch @@ -0,0 +1,105 @@ +From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 12:48:25 +0100 +Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support + +--- + fio.c | 67 +++++-------------------------------------------------------------- + 1 file changed, 5 insertions(+), 62 deletions(-) + +diff --git a/fio.c b/fio.c +index 65e8f10..1529236 100644 +--- a/fio.c ++++ b/fio.c +@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c 2.76 ( + #endif /* not lint */ + + #include "rcv.h" ++ ++#ifndef HAVE_WORDEXP ++#error wordexp support is required ++#endif ++ + #include + #include + #include +-#ifdef HAVE_WORDEXP + #include +-#endif /* HAVE_WORDEXP */ + #include + + #if defined (USE_NSS) +@@ -481,7 +484,6 @@ next: + static char * + globname(char *name) + { +-#ifdef HAVE_WORDEXP + wordexp_t we; + char *cp; + sigset_t nset; +@@ -527,65 +529,6 @@ globname(char *name) + } + wordfree(&we); + return cp; +-#else /* !HAVE_WORDEXP */ +- char xname[PATHSIZE]; +- char cmdbuf[PATHSIZE]; /* also used for file names */ +- int pid, l; +- char *cp, *shell; +- int pivec[2]; +- extern int wait_status; +- struct stat sbuf; +- +- if (pipe(pivec) < 0) { +- perror("pipe"); +- return name; +- } +- snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name); +- if ((shell = value("SHELL")) == NULL) +- shell = SHELL; +- pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL); +- if (pid < 0) { +- close(pivec[0]); +- close(pivec[1]); +- return NULL; +- } +- close(pivec[1]); +-again: +- l = read(pivec[0], xname, sizeof xname); +- if (l < 0) { +- if (errno == EINTR) +- goto again; +- perror("read"); +- close(pivec[0]); +- return NULL; +- } +- close(pivec[0]); +- if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) { +- fprintf(stderr, catgets(catd, CATSET, 81, +- "\"%s\": Expansion failed.\n"), name); +- return NULL; +- } +- if (l == 0) { +- fprintf(stderr, catgets(catd, CATSET, 82, +- "\"%s\": No match.\n"), name); +- return NULL; +- } +- if (l == sizeof xname) { +- fprintf(stderr, catgets(catd, CATSET, 83, +- "\"%s\": Expansion buffer overflow.\n"), name); +- return NULL; +- } +- xname[l] = 0; +- for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--) +- ; +- cp[1] = '\0'; +- if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) { +- fprintf(stderr, catgets(catd, CATSET, 84, +- "\"%s\": Ambiguous.\n"), name); +- return NULL; +- } +- return savestr(xname); +-#endif /* !HAVE_WORDEXP */ + } + + /* diff --git a/0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch b/0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch new file mode 100644 index 0000000..0d01a15 --- /dev/null +++ b/0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch @@ -0,0 +1,25 @@ +From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 13:11:32 +0100 +Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771) + +--- + fio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fio.c b/fio.c +index 1529236..774a204 100644 +--- a/fio.c ++++ b/fio.c +@@ -497,7 +497,7 @@ globname(char *name) + sigemptyset(&nset); + sigaddset(&nset, SIGCHLD); + sigprocmask(SIG_BLOCK, &nset, NULL); +- i = wordexp(name, &we, 0); ++ i = wordexp(name, &we, WRDE_NOCMD); + sigprocmask(SIG_UNBLOCK, &nset, NULL); + switch (i) { + case 0: +-- +1.9.3 + diff --git a/mailx-12.5.dif b/mailx-12.5.dif index 8bfd94f..67832c8 100644 --- a/mailx-12.5.dif +++ b/mailx-12.5.dif @@ -116,15 +116,15 @@ #include "extern.h" #include --- fio.c -+++ fio.c 2006-07-20 11:42:19.000000000 +0000 ++++ fio.c 2014-12-11 09:34:19.233519754 +0000 @@ -42,6 +42,7 @@ static char sccsid[] = "@(#)fio.c 2.76 ( #endif #endif /* not lint */ +#include "config.h" #include "rcv.h" - #include - #include + + #ifndef HAVE_WORDEXP --- getname.c +++ getname.c 2006-07-20 11:42:19.000000000 +0000 @@ -42,6 +42,7 @@ static char sccsid[] = "@(#)getname.c 2. diff --git a/mailx.changes b/mailx.changes index 4231005..9e0405e 100644 --- a/mailx.changes +++ b/mailx.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Dec 11 11:46:53 UTC 2014 - werner@suse.de + +- Add patches + 0001-outof-Introduce-expandaddr-flag.patch + 0002-unpack-Disable-option-processing-for-email-addresses.patch + 0003-fio.c-Unconditionally-require-wordexp-support.patch + 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch + to fix bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell + command injection via crafted email addresses + ------------------------------------------------------------------- Sat Apr 19 19:57:00 UTC 2014 - crrodriguez@opensuse.org @@ -8,7 +19,7 @@ Sat Apr 19 19:57:00 UTC 2014 - crrodriguez@opensuse.org ------------------------------------------------------------------- Fri Dec 6 12:48:27 UTC 2013 - werner@suse.de -- Correct commnet in spec file +- Correct comment in spec file ------------------------------------------------------------------- Wed Dec 4 08:54:21 UTC 2013 - werner@suse.de diff --git a/mailx.spec b/mailx.spec index 23c60e8..8aa3019 100644 --- a/mailx.spec +++ b/mailx.spec @@ -43,6 +43,14 @@ Patch6: mailx-fix-openssl.patch Patch7: mailx-12.5-parentheses.dif #PATCH-FIX-SUSE: Fix IPv6 address handling Patch8: mailx-12.5-ipv6.dif +#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses +Patch9: 0001-outof-Introduce-expandaddr-flag.patch +#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses +Patch10: 0002-unpack-Disable-option-processing-for-email-addresses.patch +#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses +Patch11: 0003-fio.c-Unconditionally-require-wordexp-support.patch +#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses +Patch12: 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -62,7 +70,11 @@ minor enhancements like the ability to set a "From:" address. %patch6 -p0 -b .ssl %patch7 -p0 -b .par %patch8 -p0 -b .ipv6 -%patch -p0 -b .0 +%patch9 -p1 -b .0001 +%patch10 -p1 -b .0002 +%patch11 -p1 -b .0003 +%patch12 -p1 -b .0004 +%patch -p0 -b .0 %build CC=gcc diff --git a/nail-11.25-path.dif b/nail-11.25-path.dif index d2a4c64..a2d8e85 100644 --- a/nail-11.25-path.dif +++ b/nail-11.25-path.dif @@ -196,17 +196,6 @@ sigemptyset(&set); if (run_command(edit, oldint != SIG_IGN ? &set : NULL, -1, -1, tempEdit, NULL, NULL) < 0) { ---- fio.c -+++ fio.c 2005-10-14 13:44:09.000000000 +0000 -@@ -542,7 +542,7 @@ globname(char *name) - } - snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name); - if ((shell = value("SHELL")) == NULL) -- shell = SHELL; -+ shell = PATH_CSHELL; - pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL); - if (pid < 0) { - close(pivec[0]); --- main.c +++ main.c 2005-10-14 13:44:09.000000000 +0000 @@ -403,7 +403,7 @@ usage: