Module Name: src
Committed By: snj
Date: Thu Apr 23 19:46:40 UTC 2015
Modified Files:
src/usr.bin/mail [netbsd-7]: cmd3.c extern.h fio.c mail.1 names.c
send.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #719):
usr.bin/mail/cmd3.c: revision 1.43
usr.bin/mail/extern.h: revision 1.33
usr.bin/mail/fio.c: revisions 1.41, 1.42
usr.bin/mail/mail.1: revision 1.61
usr.bin/mail/names.c: revision 1.31, 1.32
usr.bin/mail/send.c: revision 1.38
Fix various security related issues:
0001. Do not recognize paths, mail folders, and pipes in mail addresses
by default. That avoids a direct command injection with syntactically
valid email addresses starting with |.
Such addresses can be specified both on the command line, the mail
headers (with -t) or in address lines copied over from previous
while replying.
This was assigned CVE-2014-7844 for some versions of BSD mailx. It is
documented behavior for Heirloom mailx, and was mentioned in an old
technical report about BSD mailx (which does not usually make its way
into operating system installations). The patch switches off this
processing and updates the documentation.
Added expandaddr option to explicitly enable this behavior.
0002. When invoking sendmail, prevent option processing for email
address arguments. This prevents changing e.g. the Postfix
configuration file in unexpected ways. This behavior was documented for
BSD mailx (sort of), but not for Heirloom mailx. We did not assign a
CVE to this because it is more of a missing feature, and code invoking
mailx needs adjustment in the caller as well.
Fixed.
0003. Make wordexp support mandatory. (No functional change.)
Fixed (replaced explicit shell pipe implementation).
0004. Prevent command execution in the expand function, which is IMHO
unexpected. (Not really required with patch 1, and there is still
information disclosure/DoS potential if this expansion occurs.) This is
a historic vulnerability already fixed in the Debian package,
retroactively assigned CVE-2004-2771:
Fixed (as part of the pipe replacement with wordexp).
--
fix incorrect arg size computation
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.42.10.1 src/usr.bin/mail/cmd3.c
cvs rdiff -u -r1.32 -r1.32.10.1 src/usr.bin/mail/extern.h
cvs rdiff -u -r1.40 -r1.40.8.1 src/usr.bin/mail/fio.c
cvs rdiff -u -r1.60 -r1.60.8.1 src/usr.bin/mail/mail.1
cvs rdiff -u -r1.30 -r1.30.8.1 src/usr.bin/mail/names.c
cvs rdiff -u -r1.37 -r1.37.10.1 src/usr.bin/mail/send.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
