Source: debbugs Version: 2.6.5 Severity: normal Tags: patch Dear Maintainer,
There is some curious code in Mail.pm:
for my $recipient ($param{parse_for_recipients}?q(-t):(),@recipients)
eval {
_send_message($param{message},@sendmail_arguments,$recipient);
As you can see, it sometimes sets $recipient="-t" to modify how
sendmail works. While clever, it suggests a possible security problem.
In particular, a recipient address may be interpreted as an option
flag. For example,
sendmail -oem -oi -oQ/tmp/[email protected] [email protected]
I am not running debbugs, so I cannot confirm that this weakness is
exploitable, but I am able to simulate it using t/lib/DebbugsTest.pm.
Please see the attached test file, t/24_recipient_injection.t, that
demonstrates the problem. (Run it using `prove -l t/24_*`).
I believe the correct solution is to add "--" in the two places in
lib/Debbugs/Mail.pm which call _send_message(). Please see the second
attachment which includes the fix. Once applied, `prove` will succeed.
The third patch file is optional but useful as it causes
t/lib/DebbugsTest.pm to create properly named tempdirs.
Thank you,
--Ben Wong
-- System Information:
Debian Release: forky/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 7.0.12+deb14.1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
0001-Test-recipient-addresses-injection.patch
Description: application/mbox
0002-Prevent-recipient-address-injection.patch
Description: application/mbox
0003-Give-sane-names-to-temporary-directories.patch
Description: application/mbox

