RedHat has issued an advisory on December 16: https://rhn.redhat.com/errata/RHSA-2014-1999.html Patched packages uploaded for Mageia 4 and Cauldron. Note that the first CVE is indeed from 2004, please don't mistype it as 2014. There's a lot more information on this update in this oss-security post: http://openwall.com/lists/oss-security/2014/12/16/12 Advisory: ======================== Updated nail package fixes security vulnerabilities: A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality (CVE-2004-2771, CVE-2014-7844). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844 https://rhn.redhat.com/errata/RHSA-2014-1999.html ======================== Updated packages in core/updates_testing: ======================== nail-12.4-9.1.mga4 from nail-12.4-9.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing on Mageia4x64 real hardware Could not find PoCs in links supplied in Description. From current package : -------------------- nail-12.4-9.mga4 Started postfix service : # systemctl start postfix $ nail No mail for zitounu Wrote a simple mail. $ nail -s "This is a test" zitounu This is a test Message number 1 Three lines EOT which I could find here : $ nail Heirloom mailx version 12.4 7/29/08. Type ? for help. "/var/spool/mail/zitounu": 1 message 1 new >N 1 zitounu Wed Dec 17 22:39 20/674 This is a test ? 1 Wrote a mail with an attachment : $ echo "This is message body" | nail -s "This is Message 2" -r \ > "zitounu" -a ~/qa/testfile zitounu $ nail Heirloom mailx version 12.4 7/29/08. Type ? for help. "/var/spool/mail/zitounu": 2 messages 2 new >N 1 zitounu Wed Dec 17 22:39 20/674 This is a test N 2 zitounu@localhost. Wed Dec 17 22:44 36/1136 This is Message 2 Message 2 contained attachment Sent a mail from and to my gmail account in verbose mode : $ echo "This is the message body and contains the message from olchal" | nail -v \ > -s "Message 3" \ > -S smtp="smtp.gmail.com:587" \ > -S smtp-use-starttls \ > -S smtp-auth=login \ > -S smtp-auth-user="olchal@gmail.com" \ > -S smtp-auth-password="password" \ > -S ssl-verify=ignore \ > olchal@gmail.com I could retrieve my mail on my gmail account. With updated testing package : ---------------------------- nail-12.4-9.1.mga4 Could retrieve previous messages, read them, delete them and write new ones, send one to myuser@gmail.com. Nail working OK before and after the update. But maybe there is something else to test so not adding the whiteflag whithout someone overlooking what I did. Thanks
CC: (none) => olchal
Good testing Olivier. The PoC on the original 2004 bug here might be useful.. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748
(In reply to claire robinson from comment #2) > Good testing Olivier. The PoC on the original 2004 bug here might be useful.. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748 Thanks Claire So, with current package : ------------------------ $ nail '=?EUC-KR?B?sei8vL/4?= <musiphil@bawi.org>' Subject: test PoC test EOT =?EUC-KR?B?sei8vL/4?=: Aucun fichier ou dossier de ce type "/home/zitounu/dead.letter" 9/219 It does not give the same output as in the link you provided but fails nonetheless. With updated testing package : ---------------------------- $ nail $ nail '=?EUC-KR?B?sei8vL/4?= <musiphil@bawi.org>' Subject: test PoC Test EOT It does not fail anymore, just returns an Undelivered mail message after a while. Difficult for me to conclude anything about that.
Testing MGA4-32 Installed nail-12.4-9.1.mga4 At the CLI I get: $ nail '=?EUC-KR?B?sei8vL/4?= <musiphil@bawi.org>' Subject: test poc test EOT /usr/lib/sendmail: No such file or directory "/home/xxxx/dead.letter" 9/219 . . . message not sent. This is exactly the same as in Comment 3 with the current package???? I get $ urpmq -f nail nail-12.4-9.mga4.i586|nail-12.4-9.1.mga4.i586
CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK
I confirm Olivier's results in Comment 3. With the update, there's no output after the EOT.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0538.html
Status: NEW => RESOLVEDResolution: (none) => FIXED