Ticket #46255: patch-mailx-CVE-2014-7844.diff
| File patch-mailx-CVE-2014-7844.diff, 9.7 KB (added by raimue (Rainer Müller), 10 years ago) |
|---|
-
Portfile
3 3 PortSystem 1.0 4 4 name mailx 5 5 version 12.4 6 revision 26 revision 3 7 7 categories mail 8 8 license {BSD-old BSD} 9 9 maintainers toby … … 34 34 patch-makeconfig \ 35 35 patch-openssl.c 36 36 37 # CVE-2004-2771, CVE-2014-7844 38 # http://seclists.org/oss-sec/2014/q4/1066 39 patchfiles-append \ 40 patch-0001-outof-Introduce-expandaddr-flag.diff \ 41 patch-0002-unpack-Disable-option-processing-for-email-addresses.diff \ 42 patch-0003-fio_c-Unconditionally-require-wordexp-support.diff \ 43 patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff 44 37 45 post-patch { 38 46 reinplace "s|__PREFIX__|${prefix}|" "${worksrcpath}/Makefile" 39 47 reinplace "s|__DESTROOT__|${destroot}|" "${worksrcpath}/Makefile" -
files/patch-0001-outof-Introduce-expandaddr-flag.diff
1 Upstream: http://seclists.org/oss-sec/2014/q4/1066 2 3 >From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001 4 From: Florian Weimer <fweimer () redhat com> 5 Date: Mon, 17 Nov 2014 11:13:38 +0100 6 Subject: [PATCH 1/4] outof: Introduce expandaddr flag 7 8 Document that address expansion is disabled unless the expandaddr 9 binary option is set. 10 11 This has been assigned CVE-2014-7844 for BSD mailx, but it is not 12 a vulnerability in Heirloom mailx because this feature was documented. 13 --- 14 mailx.1 | 14 ++++++++++++++ 15 names.c | 3 +++ 16 2 files changed, 17 insertions(+) 17 18 diff --git a/mailx.1 b/mailx.1 19 index 70a7859..22a171b 100644 20 --- mailx.1 21 +++ mailx.1 22 @@ -656,6 +656,14 @@ but any reply returned to the machine 23 will have the system wide alias expanded 24 as all mail goes through sendmail. 25 .SS "Recipient address specifications" 26 +If the 27 +.I expandaddr 28 +option is not set (the default), recipient addresses must be names of 29 +local mailboxes or Internet mail addresses. 30 +.PP 31 +If the 32 +.I expandaddr 33 +option is set, the following rules apply: 34 When an address is used to name a recipient 35 (in any of To, Cc, or Bcc), 36 names of local mail folders 37 @@ -2391,6 +2399,12 @@ and exits immediately. 38 If this option is set, 39 \fImailx\fR starts even with an empty mailbox. 40 .TP 41 +.B expandaddr 42 +Causes 43 +.I mailx 44 +to expand message recipient addresses, as explained in the section, 45 +Recipient address specifications. 46 +.TP 47 .B flipr 48 Exchanges the 49 .I Respond 50 diff --git a/names.c b/names.c 51 index 66e976b..c69560f 100644 52 --- names.c 53 +++ names.c 54 @@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp) 55 FILE *fout, *fin; 56 int ispipe; 57 58 + if (value("expandaddr") == NULL) 59 + return names; 60 + 61 top = names; 62 np = names; 63 time(&now); 64 -- 65 1.9.3 66 67 -
files/patch-0002-unpack-Disable-option-processing-for-email-addresses.diff
1 upstream: http://seclists.org/oss-sec/2014/q4/1066 2 3 >From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001 4 From: Florian Weimer <fweimer () redhat com> 5 Date: Mon, 17 Nov 2014 11:14:06 +0100 6 Subject: [PATCH 2/4] unpack: Disable option processing for email addresses 7 when calling sendmail 8 9 --- 10 extern.h | 2 +- 11 names.c | 8 ++++++-- 12 sendout.c | 2 +- 13 3 files changed, 8 insertions(+), 4 deletions(-) 14 15 diff --git a/extern.h b/extern.h 16 index 6b85ba0..8873fe8 100644 17 --- extern.h 18 +++ extern.h 19 @@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp); 20 int is_fileaddr(char *name); 21 struct name *usermap(struct name *names); 22 struct name *cat(struct name *n1, struct name *n2); 23 -char **unpack(struct name *np); 24 +char **unpack(struct name *smopts, struct name *np); 25 struct name *elide(struct name *names); 26 int count(struct name *np); 27 struct name *delete_alternates(struct name *np); 28 diff --git a/names.c b/names.c 29 index c69560f..45bbaed 100644 30 --- names.c 31 +++ names.c 32 @@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2) 33 * Return an error if the name list won't fit. 34 */ 35 char ** 36 -unpack(struct name *np) 37 +unpack(struct name *smopts, struct name *np) 38 { 39 char **ap, **top; 40 struct name *n; 41 @@ -564,7 +564,7 @@ unpack(struct name *np) 42 * the terminating 0 pointer. Additional spots may be needed 43 * to pass along -f to the host mailer. 44 */ 45 - extra = 2; 46 + extra = 3 + count(smopts); 47 extra++; 48 metoo = value("metoo") != NULL; 49 if (metoo) 50 @@ -581,6 +581,10 @@ unpack(struct name *np) 51 *ap++ = "-m"; 52 if (verbose) 53 *ap++ = "-v"; 54 + for (; smopts != NULL; smopts = smopts->n_flink) 55 + if ((smopts->n_type & GDEL) == 0) 56 + *ap++ = smopts->n_name; 57 + *ap++ = "--"; 58 for (; n != NULL; n = n->n_flink) 59 if ((n->n_type & GDEL) == 0) 60 *ap++ = n->n_name; 61 diff --git a/sendout.c b/sendout.c 62 index 7b7f2eb..c52f15d 100644 63 --- sendout.c 64 +++ sendout.c 65 @@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input, 66 #endif /* HAVE_SOCKETS */ 67 68 if ((smtp = value("smtp")) == NULL) { 69 - args = unpack(cat(mailargs, to)); 70 + args = unpack(mailargs, to); 71 if (debug || value("debug")) { 72 printf(catgets(catd, CATSET, 181, 73 "Sendmail arguments:")); 74 -- 75 1.9.3 76 77 -
files/patch-0003-fio_c-Unconditionally-require-wordexp-support.diff
1 Upstream: http://seclists.org/oss-sec/2014/q4/1066 2 3 >From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001 4 From: Florian Weimer <fweimer () redhat com> 5 Date: Mon, 17 Nov 2014 12:48:25 +0100 6 Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support 7 8 --- 9 fio.c | 67 +++++-------------------------------------------------------------- 10 1 file changed, 5 insertions(+), 62 deletions(-) 11 12 diff --git a/fio.c b/fio.c 13 index 65e8f10..1529236 100644 14 --- fio.c 15 +++ fio.c 16 @@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c 2.76 (gritter) 9/16/09"; 17 #endif /* not lint */ 18 19 #include "rcv.h" 20 + 21 +#ifndef HAVE_WORDEXP 22 +#error wordexp support is required 23 +#endif 24 + 25 #include <sys/stat.h> 26 #include <sys/file.h> 27 #include <sys/wait.h> 28 -#ifdef HAVE_WORDEXP 29 #include <wordexp.h> 30 -#endif /* HAVE_WORDEXP */ 31 #include <unistd.h> 32 33 #if defined (USE_NSS) 34 @@ -481,7 +484,6 @@ next: 35 static char * 36 globname(char *name) 37 { 38 -#ifdef HAVE_WORDEXP 39 wordexp_t we; 40 char *cp; 41 sigset_t nset; 42 @@ -527,65 +529,6 @@ globname(char *name) 43 } 44 wordfree(&we); 45 return cp; 46 -#else /* !HAVE_WORDEXP */ 47 - char xname[PATHSIZE]; 48 - char cmdbuf[PATHSIZE]; /* also used for file names */ 49 - int pid, l; 50 - char *cp, *shell; 51 - int pivec[2]; 52 - extern int wait_status; 53 - struct stat sbuf; 54 - 55 - if (pipe(pivec) < 0) { 56 - perror("pipe"); 57 - return name; 58 - } 59 - snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name); 60 - if ((shell = value("SHELL")) == NULL) 61 - shell = SHELL; 62 - pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL); 63 - if (pid < 0) { 64 - close(pivec[0]); 65 - close(pivec[1]); 66 - return NULL; 67 - } 68 - close(pivec[1]); 69 -again: 70 - l = read(pivec[0], xname, sizeof xname); 71 - if (l < 0) { 72 - if (errno == EINTR) 73 - goto again; 74 - perror("read"); 75 - close(pivec[0]); 76 - return NULL; 77 - } 78 - close(pivec[0]); 79 - if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) { 80 - fprintf(stderr, catgets(catd, CATSET, 81, 81 - "\"%s\": Expansion failed.\n"), name); 82 - return NULL; 83 - } 84 - if (l == 0) { 85 - fprintf(stderr, catgets(catd, CATSET, 82, 86 - "\"%s\": No match.\n"), name); 87 - return NULL; 88 - } 89 - if (l == sizeof xname) { 90 - fprintf(stderr, catgets(catd, CATSET, 83, 91 - "\"%s\": Expansion buffer overflow.\n"), name); 92 - return NULL; 93 - } 94 - xname[l] = 0; 95 - for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--) 96 - ; 97 - cp[1] = '\0'; 98 - if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) { 99 - fprintf(stderr, catgets(catd, CATSET, 84, 100 - "\"%s\": Ambiguous.\n"), name); 101 - return NULL; 102 - } 103 - return savestr(xname); 104 -#endif /* !HAVE_WORDEXP */ 105 } 106 107 /* 108 -- 109 1.9.3 110 111 -
files/patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff
1 Upstream: http://seclists.org/oss-sec/2014/q4/1066 2 3 >From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001 4 From: Florian Weimer <fweimer () redhat com> 5 Date: Mon, 17 Nov 2014 13:11:32 +0100 6 Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771) 7 8 --- 9 fio.c | 2 +- 10 1 file changed, 1 insertion(+), 1 deletion(-) 11 12 diff --git a/fio.c b/fio.c 13 index 1529236..774a204 100644 14 --- fio.c 15 +++ fio.c 16 @@ -497,7 +497,7 @@ globname(char *name) 17 sigemptyset(&nset); 18 sigaddset(&nset, SIGCHLD); 19 sigprocmask(SIG_BLOCK, &nset, NULL); 20 - i = wordexp(name, &we, 0); 21 + i = wordexp(name, &we, WRDE_NOCMD); 22 sigprocmask(SIG_UNBLOCK, &nset, NULL); 23 switch (i) { 24 case 0: 25 -- 26 1.9.3 27 28