Wolfgang Jeltsch wrote: > Hi, > > thank you very much for this information. > > Has there been any new insight into how Courier is affected by this bug? > > And is Courier affected by the “follow-up” CVE-2014-7169? > > All the best, > Wolfgang
Any program which allows untrusted variable contents into the environment and can be made to spawn a bash descendant is "affected". (Actually, they are not affected themselves, they are used to trigger the bug in bash) CVE-2014-6271 and CVE-2014-7169 are the same in this respect, so the new vulnerability doesn't change the affected status (although the later is harder to exploit doing something useful, while with 6271 it was straightforward). > Can the bug be exploited via ways other than default files? courier performs uses a lot of environment variables. It seems very easy to add one of those broken variables to the environment. If you then use a bash shell script at some point, then you would be affected. The easiest way for that is if you have a .courier* file, or maildrop that executes a program (the "|something" delivery) and either it is (or spawns) a bash shell script, or the user shell is bash. Other ways of being affected include directly having a shell script as /usr/bin/sendmail or manually inserting a bash script in the chain of courier commands. Also remember that dash is not affected by these bugs, if you have a system account with bash as shell, changing its shell to dash will reduce the attack surface. Making /bin/sh point to something other than bash will help, too (be aware that some shell scripts using bashisms wrongly declare that they will run with /bin/sh, though). Best regards ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
