Package: procmail Version: 3.22-26 Severity: critical Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
procmail is a security liability and completely unmaintained upstream. there are viable alternatives, and it should be removed from debian. details below. # unmaintained procmail is unmaintained. the "Final release", according to Wikipedia[1], dates back to September 10, 2001 (3.22). this is the release that is shipped with Debian, although we do have *26* debian-specific uploads on top of that (3.22-26, in all suites since buster). [1]: https://en.wikipedia.org/wiki/Procmail that release entered Debian on 2001-11-21, now twenty (!) years ago, and presumably shipped with Debian 3.0 "woody": https://tracker.debian.org/news/269157/installed-procmail-322-1-i386-source/ the upstream website has been down since about 2016, according to a quick tour around archive.org. it currently returns an empty JSON document, mysteriously. (reported as #805864 in 2015, no change since.) in effect, we are maintaining a fork of this dead software. # security liability by default, procmail is installed suid root:mail. there's no debconf or preseed that can change that, although you could, in theory, do a dpkg-divert to workaround that, but I doubt anyone deploying procmail these days does that. the last maintainer of procmail explicitly advised us (in #769938) and other projects (e.g. OpenBSD, in [2]) to stop shipping it. [2]: https://marc.info/?l=openbsd-ports&m=141634350915839&w=2 Quote: > Executive summary: delete the procmail port; the code is not safe > and should not be used as a basis for any further work. That Debian bug report is still open, and concerns a NULL pointer dereference. I do not know if it is exploitable. Strangely, the original procmail author (Stephen R. van den Berg, presumably) wrote in that bug report *last year* saying that was "Fixed in upcoming 3.23 release", which has been targeted for release for all of those last 20 years. # alternatives there are plenty of modern alternatives to procmail, typically part of the mail server. Dovecot has its own LDA which implements the standard Sieve language (RFC 5228, published in 2008, 7 years after procmail's death). Courier has "maildrop" which has its own filtering mechanism. then the tmux author, in 2007, wrote fdm as a fetchmail and procmail replacement. but procmail, of course, doesn't just ship procmail (that would be too easy). it ships `mailstat(1)` which we could probably ignore because it only parses procmail log files. but more importantly, it also ships: lockfile - conditional semaphore-file creator formail - mail (re)formatter lockfile already has somewhat acceptable (if TOCTOU is something you like) in the form of `flock(1)`, part of util-linux (which is Essential). it might not be a direct drop-in replacement, but it should be close enough. formail is similar: the courier `maildrop` package ships `reformail(1)` which is, presumably, a rewrite of formail. it's unclear if it's a drop-in replacement, but it should probably possible to port uses of formail to it easily. # conclusion there is really, absolutely, no reason to keep procmail in Debian at this point. it's a great part of our computing history, and it should be kept forever in our museums and historical archive, but not in main, and certainly not in bookworm or even sid. it's just a bomb waiting to go off. -- System Information: Debian Release: 11.2 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'unstable'), (1, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-11-amd64 (SMP w/4 CPU threads) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages procmail depends on: ii libc6 2.31-13+deb11u2 Versions of packages procmail recommends: ii postfix [mail-transport-agent] 3.5.6-1+b1 procmail suggests no packages.
