[mailx/f20] Security fix for CVE-2004-2771, CVE-2014-7844 - resolves: #1174903

Jan Chaloupka jchaloup at fedoraproject.org
Thu Dec 18 11:02:00 UTC 2014 

commit 9445d13319b47057f995ff5eb83cc3dddeef9312
Author: Jan Chaloupka <jchaloup at redhat.com>
Date:   Wed Dec 17 17:54:29 2014 +0100

    Security fix for CVE-2004-2771, CVE-2014-7844
    - resolves: #1174903

 ...c-Unconditionally-require-wordexp-support.patch |  108 ++++++++++++++++++++
 ...voke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch |   25 +++++
 mailx-12.5-outof-Introduce-expandaddr-flag.patch   |   64 ++++++++++++
 ...ble-option-processing-for-email-addresses.patch |   74 +++++++++++++
 mailx.spec                                         |   15 +++-
 5 files changed, 285 insertions(+), 1 deletions(-)
---
diff --git a/mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch b/mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch
new file mode 100644
index 0000000..7544ab2
--- /dev/null
+++ b/mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch
@@ -0,0 +1,108 @@
+From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Mon, 17 Nov 2014 12:48:25 +0100
+Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support
+
+---
+ fio.c | 67 +++++--------------------------------------------------------------
+ 1 file changed, 5 insertions(+), 62 deletions(-)
+
+diff --git a/fio.c b/fio.c
+index 65e8f10..1529236 100644
+--- a/fio.c
++++ b/fio.c
+@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c	2.76 (gritter) 9/16/09";
+ #endif /* not lint */
+ 
+ #include "rcv.h"
++
++#ifndef HAVE_WORDEXP
++#error wordexp support is required
++#endif
++
+ #include <sys/stat.h>
+ #include <sys/file.h>
+ #include <sys/wait.h>
+-#ifdef	HAVE_WORDEXP
+ #include <wordexp.h>
+-#endif	/* HAVE_WORDEXP */
+ #include <unistd.h>
+ 
+ #if defined (USE_NSS)
+@@ -481,7 +484,6 @@ next:
+ static char *
+ globname(char *name)
+ {
+-#ifdef	HAVE_WORDEXP
+ 	wordexp_t we;
+ 	char *cp;
+ 	sigset_t nset;
+@@ -527,65 +529,6 @@ globname(char *name)
+ 	}
+ 	wordfree(&we);
+ 	return cp;
+-#else	/* !HAVE_WORDEXP */
+-	char xname[PATHSIZE];
+-	char cmdbuf[PATHSIZE];		/* also used for file names */
+-	int pid, l;
+-	char *cp, *shell;
+-	int pivec[2];
+-	extern int wait_status;
+-	struct stat sbuf;
+-
+-	if (pipe(pivec) < 0) {
+-		perror("pipe");
+-		return name;
+-	}
+-	snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
+-	if ((shell = value("SHELL")) == NULL)
+-		shell = SHELL;
+-	pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
+-	if (pid < 0) {
+-		close(pivec[0]);
+-		close(pivec[1]);
+-		return NULL;
+-	}
+-	close(pivec[1]);
+-again:
+-	l = read(pivec[0], xname, sizeof xname);
+-	if (l < 0) {
+-		if (errno == EINTR)
+-			goto again;
+-		perror("read");
+-		close(pivec[0]);
+-		return NULL;
+-	}
+-	close(pivec[0]);
+-	if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) {
+-		fprintf(stderr, catgets(catd, CATSET, 81,
+-				"\"%s\": Expansion failed.\n"), name);
+-		return NULL;
+-	}
+-	if (l == 0) {
+-		fprintf(stderr, catgets(catd, CATSET, 82,
+-					"\"%s\": No match.\n"), name);
+-		return NULL;
+-	}
+-	if (l == sizeof xname) {
+-		fprintf(stderr, catgets(catd, CATSET, 83,
+-				"\"%s\": Expansion buffer overflow.\n"), name);
+-		return NULL;
+-	}
+-	xname[l] = 0;
+-	for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
+-		;
+-	cp[1] = '\0';
+-	if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
+-		fprintf(stderr, catgets(catd, CATSET, 84,
+-				"\"%s\": Ambiguous.\n"), name);
+-		return NULL;
+-	}
+-	return savestr(xname);
+-#endif	/* !HAVE_WORDEXP */
+ }
+ 
+ /*
+-- 
+1.9.3
+
diff --git a/mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch b/mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
new file mode 100644
index 0000000..a7fb9d3
--- /dev/null
+++ b/mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
@@ -0,0 +1,25 @@
+From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Mon, 17 Nov 2014 13:11:32 +0100
+Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
+
+---
+ fio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fio.c b/fio.c
+index 1529236..774a204 100644
+--- a/fio.c
++++ b/fio.c
+@@ -497,7 +497,7 @@ globname(char *name)
+ 	sigemptyset(&nset);
+ 	sigaddset(&nset, SIGCHLD);
+ 	sigprocmask(SIG_BLOCK, &nset, NULL);
+-	i = wordexp(name, &we, 0);
++	i = wordexp(name, &we, WRDE_NOCMD);
+ 	sigprocmask(SIG_UNBLOCK, &nset, NULL);
+ 	switch (i) {
+ 	case 0:
+-- 
+1.9.3
+
diff --git a/mailx-12.5-outof-Introduce-expandaddr-flag.patch b/mailx-12.5-outof-Introduce-expandaddr-flag.patch
new file mode 100644
index 0000000..c3479e2
--- /dev/null
+++ b/mailx-12.5-outof-Introduce-expandaddr-flag.patch
@@ -0,0 +1,64 @@
+From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Mon, 17 Nov 2014 11:13:38 +0100
+Subject: [PATCH 1/4] outof: Introduce expandaddr flag
+
+Document that address expansion is disabled unless the expandaddr
+binary option is set.
+
+This has been assigned CVE-2014-7844 for BSD mailx, but it is not
+a vulnerability in Heirloom mailx because this feature was documented.
+---
+ mailx.1 | 14 ++++++++++++++
+ names.c |  3 +++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/mailx.1 b/mailx.1
+index 70a7859..22a171b 100644
+--- a/mailx.1
++++ b/mailx.1
+@@ -656,6 +656,14 @@ but any reply returned to the machine
+ will have the system wide alias expanded
+ as all mail goes through sendmail.
+ .SS "Recipient address specifications"
++If the
++.I expandaddr
++option is not set (the default), recipient addresses must be names of
++local mailboxes or Internet mail addresses.
++.PP
++If the
++.I expandaddr
++option is set, the following rules apply:
+ When an address is used to name a recipient
+ (in any of To, Cc, or Bcc),
+ names of local mail folders
+@@ -2391,6 +2399,12 @@ and exits immediately.
+ If this option is set,
+ \fImailx\fR starts even with an empty mailbox.
+ .TP
++.B expandaddr
++Causes
++.I mailx
++to expand message recipient addresses, as explained in the section,
++Recipient address specifications.
++.TP
+ .B flipr
+ Exchanges the
+ .I Respond
+diff --git a/names.c b/names.c
+index 66e976b..c69560f 100644
+--- a/names.c
++++ b/names.c
+@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp)
+ 	FILE *fout, *fin;
+ 	int ispipe;
+ 
++	if (value("expandaddr") == NULL)
++		return names;
++
+ 	top = names;
+ 	np = names;
+ 	time(&now);
+-- 
+1.9.3
+
diff --git a/mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch b/mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch
new file mode 100644
index 0000000..d20bb4a
--- /dev/null
+++ b/mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch
@@ -0,0 +1,74 @@
+From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Mon, 17 Nov 2014 11:14:06 +0100
+Subject: [PATCH 2/4] unpack: Disable option processing for email addresses
+ when calling sendmail
+
+---
+ extern.h  | 2 +-
+ names.c   | 8 ++++++--
+ sendout.c | 2 +-
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/extern.h b/extern.h
+index 6b85ba0..8873fe8 100644
+--- a/extern.h
++++ b/extern.h
+@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp);
+ int is_fileaddr(char *name);
+ struct name *usermap(struct name *names);
+ struct name *cat(struct name *n1, struct name *n2);
+-char **unpack(struct name *np);
++char **unpack(struct name *smopts, struct name *np);
+ struct name *elide(struct name *names);
+ int count(struct name *np);
+ struct name *delete_alternates(struct name *np);
+diff --git a/names.c b/names.c
+index c69560f..45bbaed 100644
+--- a/names.c
++++ b/names.c
+@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2)
+  * Return an error if the name list won't fit.
+  */
+ char **
+-unpack(struct name *np)
++unpack(struct name *smopts, struct name *np)
+ {
+ 	char **ap, **top;
+ 	struct name *n;
+@@ -564,7 +564,7 @@ unpack(struct name *np)
+ 	 * the terminating 0 pointer.  Additional spots may be needed
+ 	 * to pass along -f to the host mailer.
+ 	 */
+-	extra = 2;
++	extra = 3 + count(smopts);
+ 	extra++;
+ 	metoo = value("metoo") != NULL;
+ 	if (metoo)
+@@ -581,6 +581,10 @@ unpack(struct name *np)
+ 		*ap++ = "-m";
+ 	if (verbose)
+ 		*ap++ = "-v";
++	for (; smopts != NULL; smopts = smopts->n_flink)
++		if ((smopts->n_type & GDEL) == 0)
++			*ap++ = smopts->n_name;
++	*ap++ = "--";
+ 	for (; n != NULL; n = n->n_flink)
+ 		if ((n->n_type & GDEL) == 0)
+ 			*ap++ = n->n_name;
+diff --git a/sendout.c b/sendout.c
+index 7b7f2eb..c52f15d 100644
+--- a/sendout.c
++++ b/sendout.c
+@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input,
+ #endif	/* HAVE_SOCKETS */
+ 
+ 	if ((smtp = value("smtp")) == NULL) {
+-		args = unpack(cat(mailargs, to));
++		args = unpack(mailargs, to);
+ 		if (debug || value("debug")) {
+ 			printf(catgets(catd, CATSET, 181,
+ 					"Sendmail arguments:"));
+-- 
+1.9.3
+
diff --git a/mailx.spec b/mailx.spec
index 5d5709a..9fc4832 100644
--- a/mailx.spec
+++ b/mailx.spec
@@ -4,7 +4,7 @@
 Summary: Enhanced implementation of the mailx command
 Name: mailx
 Version: 12.5
-Release: 10%{?dist}
+Release: 11%{?dist}
 # MPLv1.1 .. nss.c, nsserr.c
 License: BSD with advertising and MPLv1.1
 Group: Applications/Internet
@@ -24,6 +24,11 @@ Patch4: mailx-12.5-collect.patch
 # resolves: #948869
 Patch5: mailx-12.5-usage.patch
 
+Patch7: mailx-12.5-outof-Introduce-expandaddr-flag.patch
+Patch8: mailx-12.5-fio.c-Unconditionally-require-wordexp-support.patch
+Patch9: mailx-12.5-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.patch
+Patch10: mailx-12.5-unpack-Disable-option-processing-for-email-addresses.patch
+
 %if %{use_nss}
 BuildRequires: nss-devel, pkgconfig, krb5-devel
 %else
@@ -61,6 +66,10 @@ as well as "nail" (the initial name of this project).
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 sed -i 's,/etc/nail.rc,%{mailrc},g' mailx.1
 
 
@@ -136,6 +145,10 @@ popd
 
 
 %changelog
+* Wed Dec 17 2014 jchaloup <jchaloup at redhat.com> - 12.5-11
+- Security fix for CVE-2004-2771, CVE-2014-7844
+  resolves: #1174903
+
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 12.5-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

More information about the scm-commits mailing list