Accepting request 265561 from server:mail
- Add patches 0001-outof-Introduce-expandaddr-flag.patch 0002-unpack-Disable-option-processing-for-email-addresses.patch 0003-fio.c-Unconditionally-require-wordexp-support.patch 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch to fix bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses - Correct comment in spec file OBS-URL: https://build.opensuse.org/request/show/265561 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mailx?expand=0&rev=34
This commit is contained in:
commit
e989b1b05f
64
0001-outof-Introduce-expandaddr-flag.patch
Normal file
64
0001-outof-Introduce-expandaddr-flag.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Weimer <fweimer@redhat.com>
|
||||||
|
Date: Mon, 17 Nov 2014 11:13:38 +0100
|
||||||
|
Subject: [PATCH 1/4] outof: Introduce expandaddr flag
|
||||||
|
|
||||||
|
Document that address expansion is disabled unless the expandaddr
|
||||||
|
binary option is set.
|
||||||
|
|
||||||
|
This has been assigned CVE-2014-7844 for BSD mailx, but it is not
|
||||||
|
a vulnerability in Heirloom mailx because this feature was documented.
|
||||||
|
---
|
||||||
|
mailx.1 | 14 ++++++++++++++
|
||||||
|
names.c | 3 +++
|
||||||
|
2 files changed, 17 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/mailx.1 b/mailx.1
|
||||||
|
index 70a7859..22a171b 100644
|
||||||
|
--- a/mailx.1
|
||||||
|
+++ b/mailx.1
|
||||||
|
@@ -656,6 +656,14 @@ but any reply returned to the machine
|
||||||
|
will have the system wide alias expanded
|
||||||
|
as all mail goes through sendmail.
|
||||||
|
.SS "Recipient address specifications"
|
||||||
|
+If the
|
||||||
|
+.I expandaddr
|
||||||
|
+option is not set (the default), recipient addresses must be names of
|
||||||
|
+local mailboxes or Internet mail addresses.
|
||||||
|
+.PP
|
||||||
|
+If the
|
||||||
|
+.I expandaddr
|
||||||
|
+option is set, the following rules apply:
|
||||||
|
When an address is used to name a recipient
|
||||||
|
(in any of To, Cc, or Bcc),
|
||||||
|
names of local mail folders
|
||||||
|
@@ -2391,6 +2399,12 @@ and exits immediately.
|
||||||
|
If this option is set,
|
||||||
|
\fImailx\fR starts even with an empty mailbox.
|
||||||
|
.TP
|
||||||
|
+.B expandaddr
|
||||||
|
+Causes
|
||||||
|
+.I mailx
|
||||||
|
+to expand message recipient addresses, as explained in the section,
|
||||||
|
+Recipient address specifications.
|
||||||
|
+.TP
|
||||||
|
.B flipr
|
||||||
|
Exchanges the
|
||||||
|
.I Respond
|
||||||
|
diff --git a/names.c b/names.c
|
||||||
|
index 66e976b..c69560f 100644
|
||||||
|
--- a/names.c
|
||||||
|
+++ b/names.c
|
||||||
|
@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp)
|
||||||
|
FILE *fout, *fin;
|
||||||
|
int ispipe;
|
||||||
|
|
||||||
|
+ if (value("expandaddr") == NULL)
|
||||||
|
+ return names;
|
||||||
|
+
|
||||||
|
top = names;
|
||||||
|
np = names;
|
||||||
|
time(&now);
|
||||||
|
--
|
||||||
|
1.9.3
|
||||||
|
|
@ -0,0 +1,74 @@
|
|||||||
|
From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Weimer <fweimer@redhat.com>
|
||||||
|
Date: Mon, 17 Nov 2014 11:14:06 +0100
|
||||||
|
Subject: [PATCH 2/4] unpack: Disable option processing for email addresses
|
||||||
|
when calling sendmail
|
||||||
|
|
||||||
|
---
|
||||||
|
extern.h | 2 +-
|
||||||
|
names.c | 8 ++++++--
|
||||||
|
sendout.c | 2 +-
|
||||||
|
3 files changed, 8 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/extern.h b/extern.h
|
||||||
|
index 6b85ba0..8873fe8 100644
|
||||||
|
--- a/extern.h
|
||||||
|
+++ b/extern.h
|
||||||
|
@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp);
|
||||||
|
int is_fileaddr(char *name);
|
||||||
|
struct name *usermap(struct name *names);
|
||||||
|
struct name *cat(struct name *n1, struct name *n2);
|
||||||
|
-char **unpack(struct name *np);
|
||||||
|
+char **unpack(struct name *smopts, struct name *np);
|
||||||
|
struct name *elide(struct name *names);
|
||||||
|
int count(struct name *np);
|
||||||
|
struct name *delete_alternates(struct name *np);
|
||||||
|
diff --git a/names.c b/names.c
|
||||||
|
index c69560f..45bbaed 100644
|
||||||
|
--- a/names.c
|
||||||
|
+++ b/names.c
|
||||||
|
@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2)
|
||||||
|
* Return an error if the name list won't fit.
|
||||||
|
*/
|
||||||
|
char **
|
||||||
|
-unpack(struct name *np)
|
||||||
|
+unpack(struct name *smopts, struct name *np)
|
||||||
|
{
|
||||||
|
char **ap, **top;
|
||||||
|
struct name *n;
|
||||||
|
@@ -564,7 +564,7 @@ unpack(struct name *np)
|
||||||
|
* the terminating 0 pointer. Additional spots may be needed
|
||||||
|
* to pass along -f to the host mailer.
|
||||||
|
*/
|
||||||
|
- extra = 2;
|
||||||
|
+ extra = 3 + count(smopts);
|
||||||
|
extra++;
|
||||||
|
metoo = value("metoo") != NULL;
|
||||||
|
if (metoo)
|
||||||
|
@@ -581,6 +581,10 @@ unpack(struct name *np)
|
||||||
|
*ap++ = "-m";
|
||||||
|
if (verbose)
|
||||||
|
*ap++ = "-v";
|
||||||
|
+ for (; smopts != NULL; smopts = smopts->n_flink)
|
||||||
|
+ if ((smopts->n_type & GDEL) == 0)
|
||||||
|
+ *ap++ = smopts->n_name;
|
||||||
|
+ *ap++ = "--";
|
||||||
|
for (; n != NULL; n = n->n_flink)
|
||||||
|
if ((n->n_type & GDEL) == 0)
|
||||||
|
*ap++ = n->n_name;
|
||||||
|
diff --git a/sendout.c b/sendout.c
|
||||||
|
index 7b7f2eb..c52f15d 100644
|
||||||
|
--- a/sendout.c
|
||||||
|
+++ b/sendout.c
|
||||||
|
@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input,
|
||||||
|
#endif /* HAVE_SOCKETS */
|
||||||
|
|
||||||
|
if ((smtp = value("smtp")) == NULL) {
|
||||||
|
- args = unpack(cat(mailargs, to));
|
||||||
|
+ args = unpack(mailargs, to);
|
||||||
|
if (debug || value("debug")) {
|
||||||
|
printf(catgets(catd, CATSET, 181,
|
||||||
|
"Sendmail arguments:"));
|
||||||
|
--
|
||||||
|
1.9.3
|
||||||
|
|
105
0003-fio.c-Unconditionally-require-wordexp-support.patch
Normal file
105
0003-fio.c-Unconditionally-require-wordexp-support.patch
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Weimer <fweimer@redhat.com>
|
||||||
|
Date: Mon, 17 Nov 2014 12:48:25 +0100
|
||||||
|
Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support
|
||||||
|
|
||||||
|
---
|
||||||
|
fio.c | 67 +++++--------------------------------------------------------------
|
||||||
|
1 file changed, 5 insertions(+), 62 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/fio.c b/fio.c
|
||||||
|
index 65e8f10..1529236 100644
|
||||||
|
--- a/fio.c
|
||||||
|
+++ b/fio.c
|
||||||
|
@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c 2.76 (
|
||||||
|
#endif /* not lint */
|
||||||
|
|
||||||
|
#include "rcv.h"
|
||||||
|
+
|
||||||
|
+#ifndef HAVE_WORDEXP
|
||||||
|
+#error wordexp support is required
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <sys/file.h>
|
||||||
|
#include <sys/wait.h>
|
||||||
|
-#ifdef HAVE_WORDEXP
|
||||||
|
#include <wordexp.h>
|
||||||
|
-#endif /* HAVE_WORDEXP */
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#if defined (USE_NSS)
|
||||||
|
@@ -481,7 +484,6 @@ next:
|
||||||
|
static char *
|
||||||
|
globname(char *name)
|
||||||
|
{
|
||||||
|
-#ifdef HAVE_WORDEXP
|
||||||
|
wordexp_t we;
|
||||||
|
char *cp;
|
||||||
|
sigset_t nset;
|
||||||
|
@@ -527,65 +529,6 @@ globname(char *name)
|
||||||
|
}
|
||||||
|
wordfree(&we);
|
||||||
|
return cp;
|
||||||
|
-#else /* !HAVE_WORDEXP */
|
||||||
|
- char xname[PATHSIZE];
|
||||||
|
- char cmdbuf[PATHSIZE]; /* also used for file names */
|
||||||
|
- int pid, l;
|
||||||
|
- char *cp, *shell;
|
||||||
|
- int pivec[2];
|
||||||
|
- extern int wait_status;
|
||||||
|
- struct stat sbuf;
|
||||||
|
-
|
||||||
|
- if (pipe(pivec) < 0) {
|
||||||
|
- perror("pipe");
|
||||||
|
- return name;
|
||||||
|
- }
|
||||||
|
- snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
|
||||||
|
- if ((shell = value("SHELL")) == NULL)
|
||||||
|
- shell = SHELL;
|
||||||
|
- pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
|
||||||
|
- if (pid < 0) {
|
||||||
|
- close(pivec[0]);
|
||||||
|
- close(pivec[1]);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
- close(pivec[1]);
|
||||||
|
-again:
|
||||||
|
- l = read(pivec[0], xname, sizeof xname);
|
||||||
|
- if (l < 0) {
|
||||||
|
- if (errno == EINTR)
|
||||||
|
- goto again;
|
||||||
|
- perror("read");
|
||||||
|
- close(pivec[0]);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
- close(pivec[0]);
|
||||||
|
- if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) {
|
||||||
|
- fprintf(stderr, catgets(catd, CATSET, 81,
|
||||||
|
- "\"%s\": Expansion failed.\n"), name);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
- if (l == 0) {
|
||||||
|
- fprintf(stderr, catgets(catd, CATSET, 82,
|
||||||
|
- "\"%s\": No match.\n"), name);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
- if (l == sizeof xname) {
|
||||||
|
- fprintf(stderr, catgets(catd, CATSET, 83,
|
||||||
|
- "\"%s\": Expansion buffer overflow.\n"), name);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
- xname[l] = 0;
|
||||||
|
- for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
|
||||||
|
- ;
|
||||||
|
- cp[1] = '\0';
|
||||||
|
- if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
|
||||||
|
- fprintf(stderr, catgets(catd, CATSET, 84,
|
||||||
|
- "\"%s\": Ambiguous.\n"), name);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
- return savestr(xname);
|
||||||
|
-#endif /* !HAVE_WORDEXP */
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
@ -0,0 +1,25 @@
|
|||||||
|
From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Weimer <fweimer@redhat.com>
|
||||||
|
Date: Mon, 17 Nov 2014 13:11:32 +0100
|
||||||
|
Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
|
||||||
|
|
||||||
|
---
|
||||||
|
fio.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/fio.c b/fio.c
|
||||||
|
index 1529236..774a204 100644
|
||||||
|
--- a/fio.c
|
||||||
|
+++ b/fio.c
|
||||||
|
@@ -497,7 +497,7 @@ globname(char *name)
|
||||||
|
sigemptyset(&nset);
|
||||||
|
sigaddset(&nset, SIGCHLD);
|
||||||
|
sigprocmask(SIG_BLOCK, &nset, NULL);
|
||||||
|
- i = wordexp(name, &we, 0);
|
||||||
|
+ i = wordexp(name, &we, WRDE_NOCMD);
|
||||||
|
sigprocmask(SIG_UNBLOCK, &nset, NULL);
|
||||||
|
switch (i) {
|
||||||
|
case 0:
|
||||||
|
--
|
||||||
|
1.9.3
|
||||||
|
|
@ -116,15 +116,15 @@
|
|||||||
#include "extern.h"
|
#include "extern.h"
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
--- fio.c
|
--- fio.c
|
||||||
+++ fio.c 2006-07-20 11:42:19.000000000 +0000
|
+++ fio.c 2014-12-11 09:34:19.233519754 +0000
|
||||||
@@ -42,6 +42,7 @@ static char sccsid[] = "@(#)fio.c 2.76 (
|
@@ -42,6 +42,7 @@ static char sccsid[] = "@(#)fio.c 2.76 (
|
||||||
#endif
|
#endif
|
||||||
#endif /* not lint */
|
#endif /* not lint */
|
||||||
|
|
||||||
+#include "config.h"
|
+#include "config.h"
|
||||||
#include "rcv.h"
|
#include "rcv.h"
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <sys/file.h>
|
#ifndef HAVE_WORDEXP
|
||||||
--- getname.c
|
--- getname.c
|
||||||
+++ getname.c 2006-07-20 11:42:19.000000000 +0000
|
+++ getname.c 2006-07-20 11:42:19.000000000 +0000
|
||||||
@@ -42,6 +42,7 @@ static char sccsid[] = "@(#)getname.c 2.
|
@@ -42,6 +42,7 @@ static char sccsid[] = "@(#)getname.c 2.
|
||||||
|
@ -1,3 +1,14 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 11 11:46:53 UTC 2014 - werner@suse.de
|
||||||
|
|
||||||
|
- Add patches
|
||||||
|
0001-outof-Introduce-expandaddr-flag.patch
|
||||||
|
0002-unpack-Disable-option-processing-for-email-addresses.patch
|
||||||
|
0003-fio.c-Unconditionally-require-wordexp-support.patch
|
||||||
|
0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
|
||||||
|
to fix bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell
|
||||||
|
command injection via crafted email addresses
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Apr 19 19:57:00 UTC 2014 - crrodriguez@opensuse.org
|
Sat Apr 19 19:57:00 UTC 2014 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
@ -8,7 +19,7 @@ Sat Apr 19 19:57:00 UTC 2014 - crrodriguez@opensuse.org
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Dec 6 12:48:27 UTC 2013 - werner@suse.de
|
Fri Dec 6 12:48:27 UTC 2013 - werner@suse.de
|
||||||
|
|
||||||
- Correct commnet in spec file
|
- Correct comment in spec file
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Dec 4 08:54:21 UTC 2013 - werner@suse.de
|
Wed Dec 4 08:54:21 UTC 2013 - werner@suse.de
|
||||||
|
14
mailx.spec
14
mailx.spec
@ -43,6 +43,14 @@ Patch6: mailx-fix-openssl.patch
|
|||||||
Patch7: mailx-12.5-parentheses.dif
|
Patch7: mailx-12.5-parentheses.dif
|
||||||
#PATCH-FIX-SUSE: Fix IPv6 address handling
|
#PATCH-FIX-SUSE: Fix IPv6 address handling
|
||||||
Patch8: mailx-12.5-ipv6.dif
|
Patch8: mailx-12.5-ipv6.dif
|
||||||
|
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
|
||||||
|
Patch9: 0001-outof-Introduce-expandaddr-flag.patch
|
||||||
|
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
|
||||||
|
Patch10: 0002-unpack-Disable-option-processing-for-email-addresses.patch
|
||||||
|
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
|
||||||
|
Patch11: 0003-fio.c-Unconditionally-require-wordexp-support.patch
|
||||||
|
#PATCH-FIX-SUSE: bsc#909208 -- CVE-2004-2771, CVE-2014-7844: mailx: shell command injection via crafted email addresses
|
||||||
|
Patch12: 0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -62,7 +70,11 @@ minor enhancements like the ability to set a "From:" address.
|
|||||||
%patch6 -p0 -b .ssl
|
%patch6 -p0 -b .ssl
|
||||||
%patch7 -p0 -b .par
|
%patch7 -p0 -b .par
|
||||||
%patch8 -p0 -b .ipv6
|
%patch8 -p0 -b .ipv6
|
||||||
%patch -p0 -b .0
|
%patch9 -p1 -b .0001
|
||||||
|
%patch10 -p1 -b .0002
|
||||||
|
%patch11 -p1 -b .0003
|
||||||
|
%patch12 -p1 -b .0004
|
||||||
|
%patch -p0 -b .0
|
||||||
|
|
||||||
%build
|
%build
|
||||||
CC=gcc
|
CC=gcc
|
||||||
|
@ -196,17 +196,6 @@
|
|||||||
sigemptyset(&set);
|
sigemptyset(&set);
|
||||||
if (run_command(edit, oldint != SIG_IGN ? &set : NULL, -1, -1,
|
if (run_command(edit, oldint != SIG_IGN ? &set : NULL, -1, -1,
|
||||||
tempEdit, NULL, NULL) < 0) {
|
tempEdit, NULL, NULL) < 0) {
|
||||||
--- fio.c
|
|
||||||
+++ fio.c 2005-10-14 13:44:09.000000000 +0000
|
|
||||||
@@ -542,7 +542,7 @@ globname(char *name)
|
|
||||||
}
|
|
||||||
snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
|
|
||||||
if ((shell = value("SHELL")) == NULL)
|
|
||||||
- shell = SHELL;
|
|
||||||
+ shell = PATH_CSHELL;
|
|
||||||
pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
|
|
||||||
if (pid < 0) {
|
|
||||||
close(pivec[0]);
|
|
||||||
--- main.c
|
--- main.c
|
||||||
+++ main.c 2005-10-14 13:44:09.000000000 +0000
|
+++ main.c 2005-10-14 13:44:09.000000000 +0000
|
||||||
@@ -403,7 +403,7 @@ usage:
|
@@ -403,7 +403,7 @@ usage:
|
||||||
|
Loading…
Reference in New Issue
Block a user