Bug#997840: mailutils: [security] mail(1) processes command escapes also if used non-interactively

[Jordi Mallach]

tags 997840 + security
thanks

Hi Christian,

El dl. 25 de 10 de 2021 a les 19:51 +0200, en/na Christian Franke va
escriure:
> Package: mailutils
> Version: 1:3.10-3
> 
> Steps to reproduce:
> 
> $ printf 'test:\n~! echo ALERT\nbye!\n' | mail TO_SOME_ADDRESS
> 
> Observed: "ALERT" is printed to standard output.
> Expected: String "~! echo ALERT" shall be send as second line of the
> mail.
> 
> Command escapes should only be processed if used interactively.
> 
> Related security issues:
> https://security-tracker.debian.org/tracker/CVE-2021-32749
> https://www.smartmontools.org/ticket/1535
> 
> Fixed in mailutils 3.13, see https://savannah.gnu.org/bugs/?60937
> If possible, please backport the fix to (old)stable.

Thanks, I'll see with the release team if this goes through Debian
security or via the next point release.


-- 
Jordi Mallach 
Debian Project

Bug#997840: mailutils: [security] mail(1) processes command escapes also if used non-interactively

[Christian Franke]

Package: mailutils
Version: 1:3.10-3

Steps to reproduce:

$ printf 'test:\n~! echo ALERT\nbye!\n' | mail TO_SOME_ADDRESS

Observed: "ALERT" is printed to standard output.
Expected: String "~! echo ALERT" shall be send as second line of the mail.

Command escapes should only be processed if used interactively.

Related security issues:
https://security-tracker.debian.org/tracker/CVE-2021-32749
https://www.smartmontools.org/ticket/1535

Fixed in mailutils 3.13, see https://savannah.gnu.org/bugs/?60937
If possible, please backport the fix to (old)stable.

Regards,
Christian Franke
smartmontools.org