Ticket #46255: patch-mailx-CVE-2014-7844.diff

File patch-mailx-CVE-2014-7844.diff, 9.7 KB (added by raimue (Rainer Müller), 10 years ago)
  • Portfile

     
    33PortSystem 1.0
    44name            mailx
    55version         12.4
    6 revision        2
     6revision        3
    77categories      mail
    88license         {BSD-old BSD}
    99maintainers     toby
     
    3434                patch-makeconfig \
    3535                patch-openssl.c
    3636
     37# CVE-2004-2771, CVE-2014-7844
     38# http://seclists.org/oss-sec/2014/q4/1066
     39patchfiles-append \
     40                patch-0001-outof-Introduce-expandaddr-flag.diff \
     41                patch-0002-unpack-Disable-option-processing-for-email-addresses.diff \
     42                patch-0003-fio_c-Unconditionally-require-wordexp-support.diff \
     43                patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff
     44
    3745post-patch {
    3846    reinplace "s|__PREFIX__|${prefix}|" "${worksrcpath}/Makefile"
    3947    reinplace "s|__DESTROOT__|${destroot}|" "${worksrcpath}/Makefile"
  • files/patch-0001-outof-Introduce-expandaddr-flag.diff

     
     1Upstream: http://seclists.org/oss-sec/2014/q4/1066
     2
     3>From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001
     4From: Florian Weimer <fweimer () redhat com>
     5Date: Mon, 17 Nov 2014 11:13:38 +0100
     6Subject: [PATCH 1/4] outof: Introduce expandaddr flag
     7
     8Document that address expansion is disabled unless the expandaddr
     9binary option is set.
     10
     11This has been assigned CVE-2014-7844 for BSD mailx, but it is not
     12a vulnerability in Heirloom mailx because this feature was documented.
     13---
     14 mailx.1 | 14 ++++++++++++++
     15 names.c |  3 +++
     16 2 files changed, 17 insertions(+)
     17
     18diff --git a/mailx.1 b/mailx.1
     19index 70a7859..22a171b 100644
     20--- mailx.1
     21+++ mailx.1
     22@@ -656,6 +656,14 @@ but any reply returned to the machine
     23 will have the system wide alias expanded
     24 as all mail goes through sendmail.
     25 .SS "Recipient address specifications"
     26+If the
     27+.I expandaddr
     28+option is not set (the default), recipient addresses must be names of
     29+local mailboxes or Internet mail addresses.
     30+.PP
     31+If the
     32+.I expandaddr
     33+option is set, the following rules apply:
     34 When an address is used to name a recipient
     35 (in any of To, Cc, or Bcc),
     36 names of local mail folders
     37@@ -2391,6 +2399,12 @@ and exits immediately.
     38 If this option is set,
     39 \fImailx\fR starts even with an empty mailbox.
     40 .TP
     41+.B expandaddr
     42+Causes
     43+.I mailx
     44+to expand message recipient addresses, as explained in the section,
     45+Recipient address specifications.
     46+.TP
     47 .B flipr
     48 Exchanges the
     49 .I Respond
     50diff --git a/names.c b/names.c
     51index 66e976b..c69560f 100644
     52--- names.c
     53+++ names.c
     54@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp)
     55        FILE *fout, *fin;
     56        int ispipe;
     57 
     58+       if (value("expandaddr") == NULL)
     59+               return names;
     60+
     61        top = names;
     62        np = names;
     63        time(&now);
     64--
     651.9.3
     66
     67
  • files/patch-0002-unpack-Disable-option-processing-for-email-addresses.diff

     
     1upstream: http://seclists.org/oss-sec/2014/q4/1066
     2
     3>From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001
     4From: Florian Weimer <fweimer () redhat com>
     5Date: Mon, 17 Nov 2014 11:14:06 +0100
     6Subject: [PATCH 2/4] unpack: Disable option processing for email addresses
     7 when calling sendmail
     8
     9---
     10 extern.h  | 2 +-
     11 names.c   | 8 ++++++--
     12 sendout.c | 2 +-
     13 3 files changed, 8 insertions(+), 4 deletions(-)
     14
     15diff --git a/extern.h b/extern.h
     16index 6b85ba0..8873fe8 100644
     17--- extern.h
     18+++ extern.h
     19@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp);
     20 int is_fileaddr(char *name);
     21 struct name *usermap(struct name *names);
     22 struct name *cat(struct name *n1, struct name *n2);
     23-char **unpack(struct name *np);
     24+char **unpack(struct name *smopts, struct name *np);
     25 struct name *elide(struct name *names);
     26 int count(struct name *np);
     27 struct name *delete_alternates(struct name *np);
     28diff --git a/names.c b/names.c
     29index c69560f..45bbaed 100644
     30--- names.c
     31+++ names.c
     32@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2)
     33  * Return an error if the name list won't fit.
     34  */
     35 char **
     36-unpack(struct name *np)
     37+unpack(struct name *smopts, struct name *np)
     38 {
     39        char **ap, **top;
     40        struct name *n;
     41@@ -564,7 +564,7 @@ unpack(struct name *np)
     42         * the terminating 0 pointer.  Additional spots may be needed
     43         * to pass along -f to the host mailer.
     44         */
     45-       extra = 2;
     46+       extra = 3 + count(smopts);
     47        extra++;
     48        metoo = value("metoo") != NULL;
     49        if (metoo)
     50@@ -581,6 +581,10 @@ unpack(struct name *np)
     51                *ap++ = "-m";
     52        if (verbose)
     53                *ap++ = "-v";
     54+       for (; smopts != NULL; smopts = smopts->n_flink)
     55+               if ((smopts->n_type & GDEL) == 0)
     56+                       *ap++ = smopts->n_name;
     57+       *ap++ = "--";
     58        for (; n != NULL; n = n->n_flink)
     59                if ((n->n_type & GDEL) == 0)
     60                        *ap++ = n->n_name;
     61diff --git a/sendout.c b/sendout.c
     62index 7b7f2eb..c52f15d 100644
     63--- sendout.c
     64+++ sendout.c
     65@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input,
     66 #endif /* HAVE_SOCKETS */
     67 
     68        if ((smtp = value("smtp")) == NULL) {
     69-               args = unpack(cat(mailargs, to));
     70+               args = unpack(mailargs, to);
     71                if (debug || value("debug")) {
     72                        printf(catgets(catd, CATSET, 181,
     73                                        "Sendmail arguments:"));
     74--
     751.9.3
     76
     77
  • files/patch-0003-fio_c-Unconditionally-require-wordexp-support.diff

     
     1Upstream: http://seclists.org/oss-sec/2014/q4/1066
     2
     3>From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001
     4From: Florian Weimer <fweimer () redhat com>
     5Date: Mon, 17 Nov 2014 12:48:25 +0100
     6Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support
     7
     8---
     9 fio.c | 67 +++++--------------------------------------------------------------
     10 1 file changed, 5 insertions(+), 62 deletions(-)
     11
     12diff --git a/fio.c b/fio.c
     13index 65e8f10..1529236 100644
     14--- fio.c
     15+++ fio.c
     16@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c   2.76 (gritter) 9/16/09";
     17 #endif /* not lint */
     18 
     19 #include "rcv.h"
     20+
     21+#ifndef HAVE_WORDEXP
     22+#error wordexp support is required
     23+#endif
     24+
     25 #include <sys/stat.h>
     26 #include <sys/file.h>
     27 #include <sys/wait.h>
     28-#ifdef HAVE_WORDEXP
     29 #include <wordexp.h>
     30-#endif /* HAVE_WORDEXP */
     31 #include <unistd.h>
     32 
     33 #if defined (USE_NSS)
     34@@ -481,7 +484,6 @@ next:
     35 static char *
     36 globname(char *name)
     37 {
     38-#ifdef HAVE_WORDEXP
     39        wordexp_t we;
     40        char *cp;
     41        sigset_t nset;
     42@@ -527,65 +529,6 @@ globname(char *name)
     43        }
     44        wordfree(&we);
     45        return cp;
     46-#else  /* !HAVE_WORDEXP */
     47-       char xname[PATHSIZE];
     48-       char cmdbuf[PATHSIZE];          /* also used for file names */
     49-       int pid, l;
     50-       char *cp, *shell;
     51-       int pivec[2];
     52-       extern int wait_status;
     53-       struct stat sbuf;
     54-
     55-       if (pipe(pivec) < 0) {
     56-               perror("pipe");
     57-               return name;
     58-       }
     59-       snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
     60-       if ((shell = value("SHELL")) == NULL)
     61-               shell = SHELL;
     62-       pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
     63-       if (pid < 0) {
     64-               close(pivec[0]);
     65-               close(pivec[1]);
     66-               return NULL;
     67-       }
     68-       close(pivec[1]);
     69-again:
     70-       l = read(pivec[0], xname, sizeof xname);
     71-       if (l < 0) {
     72-               if (errno == EINTR)
     73-                       goto again;
     74-               perror("read");
     75-               close(pivec[0]);
     76-               return NULL;
     77-       }
     78-       close(pivec[0]);
     79-       if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) {
     80-               fprintf(stderr, catgets(catd, CATSET, 81,
     81-                               "\"%s\": Expansion failed.\n"), name);
     82-               return NULL;
     83-       }
     84-       if (l == 0) {
     85-               fprintf(stderr, catgets(catd, CATSET, 82,
     86-                                       "\"%s\": No match.\n"), name);
     87-               return NULL;
     88-       }
     89-       if (l == sizeof xname) {
     90-               fprintf(stderr, catgets(catd, CATSET, 83,
     91-                               "\"%s\": Expansion buffer overflow.\n"), name);
     92-               return NULL;
     93-       }
     94-       xname[l] = 0;
     95-       for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
     96-               ;
     97-       cp[1] = '\0';
     98-       if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
     99-               fprintf(stderr, catgets(catd, CATSET, 84,
     100-                               "\"%s\": Ambiguous.\n"), name);
     101-               return NULL;
     102-       }
     103-       return savestr(xname);
     104-#endif /* !HAVE_WORDEXP */
     105 }
     106 
     107 /*
     108--
     1091.9.3
     110
     111
  • files/patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff

     
     1Upstream: http://seclists.org/oss-sec/2014/q4/1066
     2
     3>From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001
     4From: Florian Weimer <fweimer () redhat com>
     5Date: Mon, 17 Nov 2014 13:11:32 +0100
     6Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
     7
     8---
     9 fio.c | 2 +-
     10 1 file changed, 1 insertion(+), 1 deletion(-)
     11
     12diff --git a/fio.c b/fio.c
     13index 1529236..774a204 100644
     14--- fio.c
     15+++ fio.c
     16@@ -497,7 +497,7 @@ globname(char *name)
     17        sigemptyset(&nset);
     18        sigaddset(&nset, SIGCHLD);
     19        sigprocmask(SIG_BLOCK, &nset, NULL);
     20-       i = wordexp(name, &we, 0);
     21+       i = wordexp(name, &we, WRDE_NOCMD);
     22        sigprocmask(SIG_UNBLOCK, &nset, NULL);
     23        switch (i) {
     24        case 0:
     25--
     261.9.3
     27
     28