Bug 14828

Summary: nail (aka mailx) new security issues CVE-2004-2771 and CVE-2014-7844
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/626653/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: nail-12.4-9.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-17 18:43:25 CET 
RedHat has issued an advisory on December 16:
https://rhn.redhat.com/errata/RHSA-2014-1999.html

Patched packages uploaded for Mageia 4 and Cauldron.

Note that the first CVE is indeed from 2004, please don't mistype it as 2014.

There's a lot more information on this update in this oss-security post:
http://openwall.com/lists/oss-security/2014/12/16/12

Advisory:
========================

Updated nail package fixes security vulnerabilities:

A flaw was found in the way mailx handled the parsing of email addresses.
A syntactically valid email address could allow a local attacker to cause
mailx to execute arbitrary shell commands through shell meta-characters and
the direct command execution functionality (CVE-2004-2771, CVE-2014-7844).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844
https://rhn.redhat.com/errata/RHSA-2014-1999.html
========================

Updated packages in core/updates_testing:
========================
nail-12.4-9.1.mga4

from nail-12.4-9.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 olivier charles 2014-12-17 23:26:19 CET 
Testing on Mageia4x64 real hardware
Could not find PoCs in links supplied in Description.

From current package :
--------------------
nail-12.4-9.mga4

Started postfix service :

# systemctl start postfix

$ nail
No mail for zitounu

Wrote a simple mail.
$ nail -s "This is a test" zitounu
This is a test
Message number 1
Three lines
EOT

which I could find here :
$ nail
Heirloom mailx version 12.4 7/29/08.  Type ? for help.
"/var/spool/mail/zitounu": 1 message 1 new
>N  1 zitounu            Wed Dec 17 22:39   20/674   This is a test
? 1

Wrote a mail with an attachment :
$ echo "This is message body" | nail -s "This is Message 2" -r \
> "zitounu" -a ~/qa/testfile zitounu

$ nail
Heirloom mailx version 12.4 7/29/08.  Type ? for help.
"/var/spool/mail/zitounu": 2 messages 2 new
>N  1 zitounu            Wed Dec 17 22:39   20/674   This is a test
 N  2 zitounu@localhost. Wed Dec 17 22:44   36/1136  This is Message 2

Message 2 contained attachment

Sent a mail from and to my gmail account in verbose mode :

$ echo "This is the message body and contains the message from olchal" | nail -v \
> -s "Message 3" \
> -S smtp="smtp.gmail.com:587" \
> -S smtp-use-starttls \
> -S smtp-auth=login \
> -S smtp-auth-user="olchal@gmail.com" \
> -S smtp-auth-password="password" \
> -S ssl-verify=ignore \
> olchal@gmail.com

I could retrieve my mail on my gmail account.

With updated testing package :
----------------------------

nail-12.4-9.1.mga4

Could retrieve previous messages, read them, delete them and write new ones,
send one to myuser@gmail.com.

Nail working OK before and after the update. 
But maybe there is something else to test so not adding the whiteflag whithout someone overlooking what I did. Thanks

CC: (none) => olchal

Comment 2 claire robinson 2014-12-17 23:39:27 CET 
Good testing Olivier. The PoC on the original 2004 bug here might be useful..
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748
Comment 3 olivier charles 2014-12-18 02:36:36 CET 
(In reply to claire robinson from comment #2)
> Good testing Olivier. The PoC on the original 2004 bug here might be useful..
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748


Thanks Claire

So, with current package :
------------------------
$ nail '=?EUC-KR?B?sei8vL/4?= <musiphil@bawi.org>'
Subject: test PoC
test
EOT
=?EUC-KR?B?sei8vL/4?=: Aucun fichier ou dossier de ce type
"/home/zitounu/dead.letter" 9/219

It does not give the same output as in the link you provided but fails nonetheless.

With updated testing package :
----------------------------
$ nail $ nail '=?EUC-KR?B?sei8vL/4?= <musiphil@bawi.org>'
Subject: test PoC
Test
EOT

It does not fail anymore, just returns an Undelivered mail message after a while.
Difficult for me to conclude anything about that.
Comment 4 Herman Viaene 2014-12-18 14:32:22 CET 
Testing MGA4-32
Installed nail-12.4-9.1.mga4
At the CLI I get:
$ nail '=?EUC-KR?B?sei8vL/4?= <musiphil@bawi.org>'
Subject: test poc    
test
EOT
/usr/lib/sendmail: No such file or directory
"/home/xxxx/dead.letter" 9/219
. . . message not sent.
This is exactly the same as in Comment 3 with the current package????

I get
$ urpmq -f nail
nail-12.4-9.mga4.i586|nail-12.4-9.1.mga4.i586

CC: (none) => herman.viaene

olivier charles 2014-12-18 21:39:11 CET

Whiteboard: (none) => MGA4-64-OK

Comment 5 David Walser 2014-12-18 23:14:21 CET 
I confirm Olivier's results in Comment 3.  With the update, there's no output after the EOT.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 6 claire robinson 2014-12-18 23:35:24 CET 
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2014-12-19 16:07:33 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0538.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED