diff --git a/SOURCES/mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch b/SOURCES/mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch new file mode 100644 index 0000000..7544ab2 --- /dev/null +++ b/SOURCES/mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch @@ -0,0 +1,108 @@ +From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 12:48:25 +0100 +Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support + +--- + fio.c | 67 +++++-------------------------------------------------------------- + 1 file changed, 5 insertions(+), 62 deletions(-) + +diff --git a/fio.c b/fio.c +index 65e8f10..1529236 100644 +--- a/fio.c ++++ b/fio.c +@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c 2.76 (gritter) 9/16/09"; + #endif /* not lint */ + + #include "rcv.h" ++ ++#ifndef HAVE_WORDEXP ++#error wordexp support is required ++#endif ++ + #include + #include + #include +-#ifdef HAVE_WORDEXP + #include +-#endif /* HAVE_WORDEXP */ + #include + + #if defined (USE_NSS) +@@ -481,7 +484,6 @@ next: + static char * + globname(char *name) + { +-#ifdef HAVE_WORDEXP + wordexp_t we; + char *cp; + sigset_t nset; +@@ -527,65 +529,6 @@ globname(char *name) + } + wordfree(&we); + return cp; +-#else /* !HAVE_WORDEXP */ +- char xname[PATHSIZE]; +- char cmdbuf[PATHSIZE]; /* also used for file names */ +- int pid, l; +- char *cp, *shell; +- int pivec[2]; +- extern int wait_status; +- struct stat sbuf; +- +- if (pipe(pivec) < 0) { +- perror("pipe"); +- return name; +- } +- snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name); +- if ((shell = value("SHELL")) == NULL) +- shell = SHELL; +- pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL); +- if (pid < 0) { +- close(pivec[0]); +- close(pivec[1]); +- return NULL; +- } +- close(pivec[1]); +-again: +- l = read(pivec[0], xname, sizeof xname); +- if (l < 0) { +- if (errno == EINTR) +- goto again; +- perror("read"); +- close(pivec[0]); +- return NULL; +- } +- close(pivec[0]); +- if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) { +- fprintf(stderr, catgets(catd, CATSET, 81, +- "\"%s\": Expansion failed.\n"), name); +- return NULL; +- } +- if (l == 0) { +- fprintf(stderr, catgets(catd, CATSET, 82, +- "\"%s\": No match.\n"), name); +- return NULL; +- } +- if (l == sizeof xname) { +- fprintf(stderr, catgets(catd, CATSET, 83, +- "\"%s\": Expansion buffer overflow.\n"), name); +- return NULL; +- } +- xname[l] = 0; +- for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--) +- ; +- cp[1] = '\0'; +- if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) { +- fprintf(stderr, catgets(catd, CATSET, 84, +- "\"%s\": Ambiguous.\n"), name); +- return NULL; +- } +- return savestr(xname); +-#endif /* !HAVE_WORDEXP */ + } + + /* +-- +1.9.3 + diff --git a/SOURCES/mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch b/SOURCES/mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch new file mode 100644 index 0000000..a7fb9d3 --- /dev/null +++ b/SOURCES/mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch @@ -0,0 +1,25 @@ +From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 13:11:32 +0100 +Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771) + +--- + fio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fio.c b/fio.c +index 1529236..774a204 100644 +--- a/fio.c ++++ b/fio.c +@@ -497,7 +497,7 @@ globname(char *name) + sigemptyset(&nset); + sigaddset(&nset, SIGCHLD); + sigprocmask(SIG_BLOCK, &nset, NULL); +- i = wordexp(name, &we, 0); ++ i = wordexp(name, &we, WRDE_NOCMD); + sigprocmask(SIG_UNBLOCK, &nset, NULL); + switch (i) { + case 0: +-- +1.9.3 + diff --git a/SOURCES/mailx-12.5-outof-Introduce-expandaddr-flag.patch b/SOURCES/mailx-12.5-outof-Introduce-expandaddr-flag.patch new file mode 100644 index 0000000..c3479e2 --- /dev/null +++ b/SOURCES/mailx-12.5-outof-Introduce-expandaddr-flag.patch @@ -0,0 +1,64 @@ +From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 11:13:38 +0100 +Subject: [PATCH 1/4] outof: Introduce expandaddr flag + +Document that address expansion is disabled unless the expandaddr +binary option is set. + +This has been assigned CVE-2014-7844 for BSD mailx, but it is not +a vulnerability in Heirloom mailx because this feature was documented. +--- + mailx.1 | 14 ++++++++++++++ + names.c | 3 +++ + 2 files changed, 17 insertions(+) + +diff --git a/mailx.1 b/mailx.1 +index 70a7859..22a171b 100644 +--- a/mailx.1 ++++ b/mailx.1 +@@ -656,6 +656,14 @@ but any reply returned to the machine + will have the system wide alias expanded + as all mail goes through sendmail. + .SS "Recipient address specifications" ++If the ++.I expandaddr ++option is not set (the default), recipient addresses must be names of ++local mailboxes or Internet mail addresses. ++.PP ++If the ++.I expandaddr ++option is set, the following rules apply: + When an address is used to name a recipient + (in any of To, Cc, or Bcc), + names of local mail folders +@@ -2391,6 +2399,12 @@ and exits immediately. + If this option is set, + \fImailx\fR starts even with an empty mailbox. + .TP ++.B expandaddr ++Causes ++.I mailx ++to expand message recipient addresses, as explained in the section, ++Recipient address specifications. ++.TP + .B flipr + Exchanges the + .I Respond +diff --git a/names.c b/names.c +index 66e976b..c69560f 100644 +--- a/names.c ++++ b/names.c +@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp) + FILE *fout, *fin; + int ispipe; + ++ if (value("expandaddr") == NULL) ++ return names; ++ + top = names; + np = names; + time(&now); +-- +1.9.3 + diff --git a/SOURCES/mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch b/SOURCES/mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch new file mode 100644 index 0000000..d20bb4a --- /dev/null +++ b/SOURCES/mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch @@ -0,0 +1,74 @@ +From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Nov 2014 11:14:06 +0100 +Subject: [PATCH 2/4] unpack: Disable option processing for email addresses + when calling sendmail + +--- + extern.h | 2 +- + names.c | 8 ++++++-- + sendout.c | 2 +- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/extern.h b/extern.h +index 6b85ba0..8873fe8 100644 +--- a/extern.h ++++ b/extern.h +@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp); + int is_fileaddr(char *name); + struct name *usermap(struct name *names); + struct name *cat(struct name *n1, struct name *n2); +-char **unpack(struct name *np); ++char **unpack(struct name *smopts, struct name *np); + struct name *elide(struct name *names); + int count(struct name *np); + struct name *delete_alternates(struct name *np); +diff --git a/names.c b/names.c +index c69560f..45bbaed 100644 +--- a/names.c ++++ b/names.c +@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2) + * Return an error if the name list won't fit. + */ + char ** +-unpack(struct name *np) ++unpack(struct name *smopts, struct name *np) + { + char **ap, **top; + struct name *n; +@@ -564,7 +564,7 @@ unpack(struct name *np) + * the terminating 0 pointer. Additional spots may be needed + * to pass along -f to the host mailer. + */ +- extra = 2; ++ extra = 3 + count(smopts); + extra++; + metoo = value("metoo") != NULL; + if (metoo) +@@ -581,6 +581,10 @@ unpack(struct name *np) + *ap++ = "-m"; + if (verbose) + *ap++ = "-v"; ++ for (; smopts != NULL; smopts = smopts->n_flink) ++ if ((smopts->n_type & GDEL) == 0) ++ *ap++ = smopts->n_name; ++ *ap++ = "--"; + for (; n != NULL; n = n->n_flink) + if ((n->n_type & GDEL) == 0) + *ap++ = n->n_name; +diff --git a/sendout.c b/sendout.c +index 7b7f2eb..c52f15d 100644 +--- a/sendout.c ++++ b/sendout.c +@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input, + #endif /* HAVE_SOCKETS */ + + if ((smtp = value("smtp")) == NULL) { +- args = unpack(cat(mailargs, to)); ++ args = unpack(mailargs, to); + if (debug || value("debug")) { + printf(catgets(catd, CATSET, 181, + "Sendmail arguments:")); +-- +1.9.3 + diff --git a/SPECS/mailx.spec b/SPECS/mailx.spec index d705652..37e6418 100644 --- a/SPECS/mailx.spec +++ b/SPECS/mailx.spec @@ -4,7 +4,7 @@ Summary: Enhanced implementation of the mailx command Name: mailx Version: 12.5 -Release: 11%{?dist} +Release: 12%{?dist} # MPLv1.1 .. nss.c, nsserr.c License: BSD with advertising and MPLv1.1 Group: Applications/Internet @@ -23,6 +23,11 @@ Patch3: mailx-12.5-fname-null.patch Patch4: mailx-12.5-collect.patch # resolves: #948869 Patch5: mailx-12.5-usage.patch +# resolves: #1171177 +Patch6: mailx-12.5-outof-Introduce-expandaddr-flag.patch +Patch7: mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch +Patch8: mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch +Patch9: mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch %if %{use_nss} BuildRequires: nss-devel, pkgconfig, krb5-devel @@ -61,6 +66,10 @@ as well as "nail" (the initial name of this project). %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 sed -i 's,/etc/nail.rc,%{mailrc},g' mailx.1 @@ -136,6 +145,10 @@ popd %changelog +* Wed Dec 10 2014 jchaloup - 12.5-12 +- CVE-2004-2771 mailx: command execution flaw + resolves: #1171177 + * Fri Jan 24 2014 Daniel Mach - 12.5-11 - Mass rebuild 2014-01-24