Source: debbugs
Version: 2.6.5
Severity: normal
Tags: patch

Dear Maintainer,

There is some curious code in Mail.pm:

    for my $recipient ($param{parse_for_recipients}?q(-t):(),@recipients)
        eval {
            _send_message($param{message},@sendmail_arguments,$recipient);

As you can see, it sometimes sets $recipient="-t" to modify how
sendmail works. While clever, it suggests a possible security problem.
In particular, a recipient address may be interpreted as an option
flag. For example,

    sendmail -oem -oi -oQ/tmp/[email protected] [email protected]

I am not running debbugs, so I cannot confirm that this weakness is
exploitable, but I am able to simulate it using t/lib/DebbugsTest.pm.
Please see the attached test file, t/24_recipient_injection.t, that
demonstrates the problem. (Run it using `prove -l t/24_*`).

I believe the correct solution is to add "--" in the two places in
lib/Debbugs/Mail.pm which call _send_message(). Please see the second
attachment which includes the fix. Once applied, `prove` will succeed. 

The third patch file is optional but useful as it causes
t/lib/DebbugsTest.pm to create properly named tempdirs.

Thank you,

--Ben Wong


-- System Information:
Debian Release: forky/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 7.0.12+deb14.1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Attachment: 0001-Test-recipient-addresses-injection.patch
Description: application/mbox

Attachment: 0002-Prevent-recipient-address-injection.patch
Description: application/mbox

Attachment: 0003-Give-sane-names-to-temporary-directories.patch
Description: application/mbox

Reply via email to