tags 997840 + security
thanks
Hi Christian,
El dl. 25 de 10 de 2021 a les 19:51 +0200, en/na Christian Franke va
escriure:
> Package: mailutils
> Version: 1:3.10-3
>
> Steps to reproduce:
>
> $ printf 'test:\n~! echo ALERT\nbye!\n' | mail TO_SOME_ADDRESS
>
> Observed: "ALERT" is printed to standard output.
> Expected: String "~! echo ALERT" shall be send as second line of the
> mail.
>
> Command escapes should only be processed if used interactively.
>
> Related security issues:
> https://security-tracker.debian.org/tracker/CVE-2021-32749
> https://www.smartmontools.org/ticket/1535
>
> Fixed in mailutils 3.13, see https://savannah.gnu.org/bugs/?60937
> If possible, please backport the fix to (old)stable.
Thanks, I'll see with the release team if this goes through Debian
security or via the next point release.
--
Jordi Mallach
Debian Project