14 DAY TRIAL // Two vulnerabilities, affecting the mailx utility for Unix systems, have been addressed by the maintainers of Debian and Red Hat Linux distributions; one of the flaws had been repaired in the BSD mailx implementation on Debian ten years ago, but Heirloom mailx was still impacted.
Separate security advisories for the two operating systems inform that a local attacker could rely on mailx to execute arbitrary commands on the affected system by providing maliciously-formed email addresses.
Mailx, also known as Mail User Agent, is a utility for sending and receiving messages, which is used by several email programs. It is present in multiple Linux distributions.
One of the problems was discovered in 2004
The issue consists in the fact that the email addresses are not parsed properly, leading to mailx executing arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
CVE-2004-2771 was reported back in October 2004, by Seungbeom Kim, and recognized as a security problem. At the time, Robert Luberda, the maintainer of the Debian mailx package, released a fix for the BSD implementation.
The current security updates in Debian and Red Hat Enterprise Linux (versions 6 and 7) distributions are designed to solve both problems completely, for both BSD-mailx and Heirloom-mailx packages.
New email address separator for applications using mailx
The developers draw attention to the fact that applications that rely on mailx to send emails to addresses from an untrusted source still present a risk if they accept input that begins with the “-” separator.
To address this issue, it is recommended to use the “--” separator instead, an option available in the latest mailx version on Red Hat. The recommendation is for all users of mailx to upgrade the packages, which contain backported patches.
Maintainers of Debian released a similar notification, saying that if the “--” separator cannot be used, then the recipient’s email address should be passed as part of the mail header, by invoking “mail -t” or “sendmail -i -t.”
The stable distribution of Debian, Wheezy, had the aforementioned glitches eliminated in version 8.1.2-0.20111106cvs-1+deb7u1.
As far as the impact is concerned, it has been deemed to be moderate, applying the new update having a medium severity level.
Florian Weimer from Red Hat Security worked to deliver the patch. He is also the researcher who provided a permanent fix for the Shellshock vulnerability in the Bash command interpreter in September.