[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773608: marked as done (unblock: heirloom-mailx/12.5-3.1)

Your message dated Sat, 20 Dec 2014 19:44:36 +0000
with message-id <20141220194436.GE11902@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#773608: unblock: heirloom-mailx/12.5-3.1
has caused the Debian Bug report #773608,
regarding unblock: heirloom-mailx/12.5-3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773608: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773608
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team!

I prepared an upload for heirloom-mailx with the same patches as used
by Florian for doing the DSA-3105-1[1], see also #773417[2].

 [1] https://www.debian.org/security/2014/dsa-3105
 [2] https://bugs.debian.org/773417

The changelog entry reads as:

>heirloom-mailx (12.5-3.1) unstable; urgency=high
>
>  * Non-maintainer upload.
>  * Apply patches from Red Hat (Florian Weimer) to address command
>    execution issues (Closes: #773417):
>    + 0011-outof-Introduce-expandaddr-flag.patch
>      Disable command execution in email addresses (CVE-2014-7844)
>    + 0012-unpack-Disable-option-processing-for-email-addresses.patch
>    + 0013-fio.c-Unconditionally-require-wordexp-support.patch
>    + 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch (CVE-2004-2771)
>
> -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 20 Dec 2014 06:55:53 +0100

I attached also the complete debdiff to this request. Could you
consider an unblock of heirloom-mailx to testing, so that we have the
same fixes also in jessie?

unblock heirloom-mailx/12.5-3.1

Regards,
Salvatore

diff -Nru heirloom-mailx-12.5/debian/changelog heirloom-mailx-12.5/debian/changelog
--- heirloom-mailx-12.5/debian/changelog	2014-09-12 20:31:33.000000000 +0200
+++ heirloom-mailx-12.5/debian/changelog	2014-12-20 07:16:54.000000000 +0100
@@ -1,3 +1,16 @@
+heirloom-mailx (12.5-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Apply patches from Red Hat (Florian Weimer) to address command
+    execution issues (Closes: #773417):
+    + 0011-outof-Introduce-expandaddr-flag.patch
+      Disable command execution in email addresses (CVE-2014-7844)
+    + 0012-unpack-Disable-option-processing-for-email-addresses.patch
+    + 0013-fio.c-Unconditionally-require-wordexp-support.patch
+    + 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch (CVE-2004-2771)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 20 Dec 2014 06:55:53 +0100
+
 heirloom-mailx (12.5-3) unstable; urgency=low
 
   * Modernized the package
diff -Nru heirloom-mailx-12.5/debian/patches/0011-outof-Introduce-expandaddr-flag.patch heirloom-mailx-12.5/debian/patches/0011-outof-Introduce-expandaddr-flag.patch
--- heirloom-mailx-12.5/debian/patches/0011-outof-Introduce-expandaddr-flag.patch	1970-01-01 01:00:00.000000000 +0100
+++ heirloom-mailx-12.5/debian/patches/0011-outof-Introduce-expandaddr-flag.patch	2014-12-20 07:16:54.000000000 +0100
@@ -0,0 +1,65 @@
+From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 17 Nov 2014 11:13:38 +0100
+Subject: [PATCH 1/4] outof: Introduce expandaddr flag
+
+Document that address expansion is disabled unless the expandaddr
+binary option is set.
+
+This has been assigned CVE-2014-7844 for BSD mailx, but it is not
+a vulnerability in Heirloom mailx because this feature was documented.
+---
+ mailx.1 | 14 ++++++++++++++
+ names.c |  3 +++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/mailx.1 b/mailx.1
+index 70a7859..22a171b 100644
+--- a/mailx.1
++++ b/mailx.1
+@@ -656,6 +656,14 @@ but any reply returned to the machine
+ will have the system wide alias expanded
+ as all mail goes through sendmail.
+ .SS "Recipient address specifications"
++If the
++.I expandaddr
++option is not set (the default), recipient addresses must be names of
++local mailboxes or Internet mail addresses.
++.PP
++If the
++.I expandaddr
++option is set, the following rules apply:
+ When an address is used to name a recipient
+ (in any of To, Cc, or Bcc),
+ names of local mail folders
+@@ -2391,6 +2399,12 @@ and exits immediately.
+ If this option is set,
+ \fImailx\fR starts even with an empty mailbox.
+ .TP
++.B expandaddr
++Causes
++.I mailx
++to expand message recipient addresses, as explained in the section,
++Recipient address specifications.
++.TP
+ .B flipr
+ Exchanges the
+ .I Respond
+diff --git a/names.c b/names.c
+index 66e976b..c69560f 100644
+--- a/names.c
++++ b/names.c
+@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp)
+ 	FILE *fout, *fin;
+ 	int ispipe;
+ 
++	if (value("expandaddr") == NULL)
++		return names;
++
+ 	top = names;
+ 	np = names;
+ 	time(&now);
+-- 
+1.9.3
+
+
diff -Nru heirloom-mailx-12.5/debian/patches/0012-unpack-Disable-option-processing-for-email-addresses.patch heirloom-mailx-12.5/debian/patches/0012-unpack-Disable-option-processing-for-email-addresses.patch
--- heirloom-mailx-12.5/debian/patches/0012-unpack-Disable-option-processing-for-email-addresses.patch	1970-01-01 01:00:00.000000000 +0100
+++ heirloom-mailx-12.5/debian/patches/0012-unpack-Disable-option-processing-for-email-addresses.patch	2014-12-20 07:16:54.000000000 +0100
@@ -0,0 +1,75 @@
+From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 17 Nov 2014 11:14:06 +0100
+Subject: [PATCH 2/4] unpack: Disable option processing for email addresses
+ when calling sendmail
+
+---
+ extern.h  | 2 +-
+ names.c   | 8 ++++++--
+ sendout.c | 2 +-
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/extern.h b/extern.h
+index 6b85ba0..8873fe8 100644
+--- a/extern.h
++++ b/extern.h
+@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp);
+ int is_fileaddr(char *name);
+ struct name *usermap(struct name *names);
+ struct name *cat(struct name *n1, struct name *n2);
+-char **unpack(struct name *np);
++char **unpack(struct name *smopts, struct name *np);
+ struct name *elide(struct name *names);
+ int count(struct name *np);
+ struct name *delete_alternates(struct name *np);
+diff --git a/names.c b/names.c
+index c69560f..45bbaed 100644
+--- a/names.c
++++ b/names.c
+@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2)
+  * Return an error if the name list won't fit.
+  */
+ char **
+-unpack(struct name *np)
++unpack(struct name *smopts, struct name *np)
+ {
+ 	char **ap, **top;
+ 	struct name *n;
+@@ -564,7 +564,7 @@ unpack(struct name *np)
+ 	 * the terminating 0 pointer.  Additional spots may be needed
+ 	 * to pass along -f to the host mailer.
+ 	 */
+-	extra = 2;
++	extra = 3 + count(smopts);
+ 	extra++;
+ 	metoo = value("metoo") != NULL;
+ 	if (metoo)
+@@ -581,6 +581,10 @@ unpack(struct name *np)
+ 		*ap++ = "-m";
+ 	if (verbose)
+ 		*ap++ = "-v";
++	for (; smopts != NULL; smopts = smopts->n_flink)
++		if ((smopts->n_type & GDEL) == 0)
++			*ap++ = smopts->n_name;
++	*ap++ = "--";
+ 	for (; n != NULL; n = n->n_flink)
+ 		if ((n->n_type & GDEL) == 0)
+ 			*ap++ = n->n_name;
+diff --git a/sendout.c b/sendout.c
+index 7b7f2eb..c52f15d 100644
+--- a/sendout.c
++++ b/sendout.c
+@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input,
+ #endif	/* HAVE_SOCKETS */
+ 
+ 	if ((smtp = value("smtp")) == NULL) {
+-		args = unpack(cat(mailargs, to));
++		args = unpack(mailargs, to);
+ 		if (debug || value("debug")) {
+ 			printf(catgets(catd, CATSET, 181,
+ 					"Sendmail arguments:"));
+-- 
+1.9.3
+
+
diff -Nru heirloom-mailx-12.5/debian/patches/0013-fio.c-Unconditionally-require-wordexp-support.patch heirloom-mailx-12.5/debian/patches/0013-fio.c-Unconditionally-require-wordexp-support.patch
--- heirloom-mailx-12.5/debian/patches/0013-fio.c-Unconditionally-require-wordexp-support.patch	1970-01-01 01:00:00.000000000 +0100
+++ heirloom-mailx-12.5/debian/patches/0013-fio.c-Unconditionally-require-wordexp-support.patch	2014-12-20 07:16:54.000000000 +0100
@@ -0,0 +1,109 @@
+From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 17 Nov 2014 12:48:25 +0100
+Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support
+
+---
+ fio.c | 67 +++++--------------------------------------------------------------
+ 1 file changed, 5 insertions(+), 62 deletions(-)
+
+diff --git a/fio.c b/fio.c
+index 65e8f10..1529236 100644
+--- a/fio.c
++++ b/fio.c
+@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c	2.76 (gritter) 9/16/09";
+ #endif /* not lint */
+ 
+ #include "rcv.h"
++
++#ifndef HAVE_WORDEXP
++#error wordexp support is required
++#endif
++
+ #include <sys/stat.h>
+ #include <sys/file.h>
+ #include <sys/wait.h>
+-#ifdef	HAVE_WORDEXP
+ #include <wordexp.h>
+-#endif	/* HAVE_WORDEXP */
+ #include <unistd.h>
+ 
+ #if defined (USE_NSS)
+@@ -481,7 +484,6 @@ next:
+ static char *
+ globname(char *name)
+ {
+-#ifdef	HAVE_WORDEXP
+ 	wordexp_t we;
+ 	char *cp;
+ 	sigset_t nset;
+@@ -527,65 +529,6 @@ globname(char *name)
+ 	}
+ 	wordfree(&we);
+ 	return cp;
+-#else	/* !HAVE_WORDEXP */
+-	char xname[PATHSIZE];
+-	char cmdbuf[PATHSIZE];		/* also used for file names */
+-	int pid, l;
+-	char *cp, *shell;
+-	int pivec[2];
+-	extern int wait_status;
+-	struct stat sbuf;
+-
+-	if (pipe(pivec) < 0) {
+-		perror("pipe");
+-		return name;
+-	}
+-	snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
+-	if ((shell = value("SHELL")) == NULL)
+-		shell = SHELL;
+-	pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
+-	if (pid < 0) {
+-		close(pivec[0]);
+-		close(pivec[1]);
+-		return NULL;
+-	}
+-	close(pivec[1]);
+-again:
+-	l = read(pivec[0], xname, sizeof xname);
+-	if (l < 0) {
+-		if (errno == EINTR)
+-			goto again;
+-		perror("read");
+-		close(pivec[0]);
+-		return NULL;
+-	}
+-	close(pivec[0]);
+-	if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) {
+-		fprintf(stderr, catgets(catd, CATSET, 81,
+-				"\"%s\": Expansion failed.\n"), name);
+-		return NULL;
+-	}
+-	if (l == 0) {
+-		fprintf(stderr, catgets(catd, CATSET, 82,
+-					"\"%s\": No match.\n"), name);
+-		return NULL;
+-	}
+-	if (l == sizeof xname) {
+-		fprintf(stderr, catgets(catd, CATSET, 83,
+-				"\"%s\": Expansion buffer overflow.\n"), name);
+-		return NULL;
+-	}
+-	xname[l] = 0;
+-	for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
+-		;
+-	cp[1] = '\0';
+-	if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
+-		fprintf(stderr, catgets(catd, CATSET, 84,
+-				"\"%s\": Ambiguous.\n"), name);
+-		return NULL;
+-	}
+-	return savestr(xname);
+-#endif	/* !HAVE_WORDEXP */
+ }
+ 
+ /*
+-- 
+1.9.3
+
+
diff -Nru heirloom-mailx-12.5/debian/patches/0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch heirloom-mailx-12.5/debian/patches/0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch
--- heirloom-mailx-12.5/debian/patches/0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch	1970-01-01 01:00:00.000000000 +0100
+++ heirloom-mailx-12.5/debian/patches/0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch	2014-12-20 07:16:54.000000000 +0100
@@ -0,0 +1,26 @@
+From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 17 Nov 2014 13:11:32 +0100
+Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
+
+---
+ fio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fio.c b/fio.c
+index 1529236..774a204 100644
+--- a/fio.c
++++ b/fio.c
+@@ -497,7 +497,7 @@ globname(char *name)
+ 	sigemptyset(&nset);
+ 	sigaddset(&nset, SIGCHLD);
+ 	sigprocmask(SIG_BLOCK, &nset, NULL);
+-	i = wordexp(name, &we, 0);
++	i = wordexp(name, &we, WRDE_NOCMD);
+ 	sigprocmask(SIG_UNBLOCK, &nset, NULL);
+ 	switch (i) {
+ 	case 0:
+-- 
+1.9.3
+
+
diff -Nru heirloom-mailx-12.5/debian/patches/series heirloom-mailx-12.5/debian/patches/series
--- heirloom-mailx-12.5/debian/patches/series	2012-04-14 20:23:34.000000000 +0200
+++ heirloom-mailx-12.5/debian/patches/series	2014-12-20 07:16:54.000000000 +0100
@@ -1,3 +1,7 @@
 0001-Don-t-reuse-weak-symbol-optopt-to-fix-FTBFS-on-mips.patch
 0002-Patched-out-SSL2-support-since-it-is-no-longer-suppo.patch
 0003-Fixed-Lintian-warning-warning-macro-N-not-defined.patch
+0011-outof-Introduce-expandaddr-flag.patch
+0012-unpack-Disable-option-processing-for-email-addresses.patch
+0013-fio.c-Unconditionally-require-wordexp-support.patch
+0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch

--- End Message ---
--- Begin Message --- 
On Sat, Dec 20, 2014 at 07:58:29PM +0100, Salvatore Bonaccorso wrote:
> I prepared an upload for heirloom-mailx with the same patches as used
> by Florian for doing the DSA-3105-1[1], see also #773417[2].
> 
>  [1] https://www.debian.org/security/2014/dsa-3105
>  [2] https://bugs.debian.org/773417

Unblocked, thanks.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: