<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[129925] trunk/dports/mail/mailx</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="https://trac.macports.org/changeset/129925">129925</a></dd>
<dt>Author</dt> <dd>raimue@macports.org</dd>
<dt>Date</dt> <dd>2014-12-23 06:05:05 -0800 (Tue, 23 Dec 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>mail/mailx:
Fixes for CVE-2004-2771 and CVE-2014-7844, closes #46255 (maintainer timeout)</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkdportsmailmailxPortfile">trunk/dports/mail/mailx/Portfile</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkdportsmailmailxfilespatch0001outofIntroduceexpandaddrflagdiff">trunk/dports/mail/mailx/files/patch-0001-outof-Introduce-expandaddr-flag.diff</a></li>
<li><a href="#trunkdportsmailmailxfilespatch0002unpackDisableoptionprocessingforemailaddressesdiff">trunk/dports/mail/mailx/files/patch-0002-unpack-Disable-option-processing-for-email-addresses.diff</a></li>
<li><a href="#trunkdportsmailmailxfilespatch0003fio_cUnconditionallyrequirewordexpsupportdiff">trunk/dports/mail/mailx/files/patch-0003-fio_c-Unconditionally-require-wordexp-support.diff</a></li>
<li><a href="#trunkdportsmailmailxfilespatch0004globnameInvokewordexpwithWRDE_NOCMDCVE2004277diff">trunk/dports/mail/mailx/files/patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkdportsmailmailxPortfile"></a>
<div class="modfile"><h4>Modified: trunk/dports/mail/mailx/Portfile (129924 => 129925)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/mail/mailx/Portfile 2014-12-23 10:27:30 UTC (rev 129924)
+++ trunk/dports/mail/mailx/Portfile 2014-12-23 14:05:05 UTC (rev 129925)
</span><span class="lines">@@ -3,7 +3,7 @@
</span><span class="cx"> PortSystem 1.0
</span><span class="cx"> name mailx
</span><span class="cx"> version 12.4
</span><del>-revision 2
</del><ins>+revision 3
</ins><span class="cx"> categories mail
</span><span class="cx"> license {BSD-old BSD}
</span><span class="cx"> maintainers toby
</span><span class="lines">@@ -34,6 +34,14 @@
</span><span class="cx"> patch-makeconfig \
</span><span class="cx"> patch-openssl.c
</span><span class="cx">
</span><ins>+# CVE-2004-2771, CVE-2014-7844
+# http://seclists.org/oss-sec/2014/q4/1066
+patchfiles-append \
+ patch-0001-outof-Introduce-expandaddr-flag.diff \
+ patch-0002-unpack-Disable-option-processing-for-email-addresses.diff \
+ patch-0003-fio_c-Unconditionally-require-wordexp-support.diff \
+ patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff
+
</ins><span class="cx"> post-patch {
</span><span class="cx"> reinplace "s|__PREFIX__|${prefix}|" "${worksrcpath}/Makefile"
</span><span class="cx"> reinplace "s|__DESTROOT__|${destroot}|" "${worksrcpath}/Makefile"
</span></span></pre></div>
<a id="trunkdportsmailmailxfilespatch0001outofIntroduceexpandaddrflagdiff"></a>
<div class="addfile"><h4>Added: trunk/dports/mail/mailx/files/patch-0001-outof-Introduce-expandaddr-flag.diff (0 => 129925)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/mail/mailx/files/patch-0001-outof-Introduce-expandaddr-flag.diff (rev 0)
+++ trunk/dports/mail/mailx/files/patch-0001-outof-Introduce-expandaddr-flag.diff 2014-12-23 14:05:05 UTC (rev 129925)
</span><span class="lines">@@ -0,0 +1,67 @@
</span><ins>+Upstream: http://seclists.org/oss-sec/2014/q4/1066
+
+>From 9984ae5cb0ea0d61df1612b06952a61323c083d9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer () redhat com>
+Date: Mon, 17 Nov 2014 11:13:38 +0100
+Subject: [PATCH 1/4] outof: Introduce expandaddr flag
+
+Document that address expansion is disabled unless the expandaddr
+binary option is set.
+
+This has been assigned CVE-2014-7844 for BSD mailx, but it is not
+a vulnerability in Heirloom mailx because this feature was documented.
+---
+ mailx.1 | 14 ++++++++++++++
+ names.c | 3 +++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/mailx.1 b/mailx.1
+index 70a7859..22a171b 100644
+--- mailx.1
++++ mailx.1
+@@ -656,6 +656,14 @@ but any reply returned to the machine
+ will have the system wide alias expanded
+ as all mail goes through sendmail.
+ .SS "Recipient address specifications"
++If the
++.I expandaddr
++option is not set (the default), recipient addresses must be names of
++local mailboxes or Internet mail addresses.
++.PP
++If the
++.I expandaddr
++option is set, the following rules apply:
+ When an address is used to name a recipient
+ (in any of To, Cc, or Bcc),
+ names of local mail folders
+@@ -2391,6 +2399,12 @@ and exits immediately.
+ If this option is set,
+ \fImailx\fR starts even with an empty mailbox.
+ .TP
++.B expandaddr
++Causes
++.I mailx
++to expand message recipient addresses, as explained in the section,
++Recipient address specifications.
++.TP
+ .B flipr
+ Exchanges the
+ .I Respond
+diff --git a/names.c b/names.c
+index 66e976b..c69560f 100644
+--- names.c
++++ names.c
+@@ -268,6 +268,9 @@ outof(struct name *names, FILE *fo, struct header *hp)
+ FILE *fout, *fin;
+ int ispipe;
+
++ if (value("expandaddr") == NULL)
++ return names;
++
+ top = names;
+ np = names;
+ time(&now);
+--
+1.9.3
+
+
</ins></span></pre></div>
<a id="trunkdportsmailmailxfilespatch0002unpackDisableoptionprocessingforemailaddressesdiff"></a>
<div class="addfile"><h4>Added: trunk/dports/mail/mailx/files/patch-0002-unpack-Disable-option-processing-for-email-addresses.diff (0 => 129925)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/mail/mailx/files/patch-0002-unpack-Disable-option-processing-for-email-addresses.diff (rev 0)
+++ trunk/dports/mail/mailx/files/patch-0002-unpack-Disable-option-processing-for-email-addresses.diff 2014-12-23 14:05:05 UTC (rev 129925)
</span><span class="lines">@@ -0,0 +1,77 @@
</span><ins>+upstream: http://seclists.org/oss-sec/2014/q4/1066
+
+>From e34e2ac67b80497080ebecccec40c3b61456167d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer () redhat com>
+Date: Mon, 17 Nov 2014 11:14:06 +0100
+Subject: [PATCH 2/4] unpack: Disable option processing for email addresses
+ when calling sendmail
+
+---
+ extern.h | 2 +-
+ names.c | 8 ++++++--
+ sendout.c | 2 +-
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/extern.h b/extern.h
+index 6b85ba0..8873fe8 100644
+--- extern.h
++++ extern.h
+@@ -396,7 +396,7 @@ struct name *outof(struct name *names, FILE *fo, struct header *hp);
+ int is_fileaddr(char *name);
+ struct name *usermap(struct name *names);
+ struct name *cat(struct name *n1, struct name *n2);
+-char **unpack(struct name *np);
++char **unpack(struct name *smopts, struct name *np);
+ struct name *elide(struct name *names);
+ int count(struct name *np);
+ struct name *delete_alternates(struct name *np);
+diff --git a/names.c b/names.c
+index c69560f..45bbaed 100644
+--- names.c
++++ names.c
+@@ -549,7 +549,7 @@ cat(struct name *n1, struct name *n2)
+ * Return an error if the name list won't fit.
+ */
+ char **
+-unpack(struct name *np)
++unpack(struct name *smopts, struct name *np)
+ {
+ char **ap, **top;
+ struct name *n;
+@@ -564,7 +564,7 @@ unpack(struct name *np)
+ * the terminating 0 pointer. Additional spots may be needed
+ * to pass along -f to the host mailer.
+ */
+- extra = 2;
++ extra = 3 + count(smopts);
+ extra++;
+ metoo = value("metoo") != NULL;
+ if (metoo)
+@@ -581,6 +581,10 @@ unpack(struct name *np)
+ *ap++ = "-m";
+ if (verbose)
+ *ap++ = "-v";
++ for (; smopts != NULL; smopts = smopts->n_flink)
++ if ((smopts->n_type & GDEL) == 0)
++ *ap++ = smopts->n_name;
++ *ap++ = "--";
+ for (; n != NULL; n = n->n_flink)
+ if ((n->n_type & GDEL) == 0)
+ *ap++ = n->n_name;
+diff --git a/sendout.c b/sendout.c
+index 7b7f2eb..c52f15d 100644
+--- sendout.c
++++ sendout.c
+@@ -835,7 +835,7 @@ start_mta(struct name *to, struct name *mailargs, FILE *input,
+ #endif /* HAVE_SOCKETS */
+
+ if ((smtp = value("smtp")) == NULL) {
+- args = unpack(cat(mailargs, to));
++ args = unpack(mailargs, to);
+ if (debug || value("debug")) {
+ printf(catgets(catd, CATSET, 181,
+ "Sendmail arguments:"));
+--
+1.9.3
+
+
</ins></span></pre></div>
<a id="trunkdportsmailmailxfilespatch0003fio_cUnconditionallyrequirewordexpsupportdiff"></a>
<div class="addfile"><h4>Added: trunk/dports/mail/mailx/files/patch-0003-fio_c-Unconditionally-require-wordexp-support.diff (0 => 129925)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/mail/mailx/files/patch-0003-fio_c-Unconditionally-require-wordexp-support.diff (rev 0)
+++ trunk/dports/mail/mailx/files/patch-0003-fio_c-Unconditionally-require-wordexp-support.diff 2014-12-23 14:05:05 UTC (rev 129925)
</span><span class="lines">@@ -0,0 +1,111 @@
</span><ins>+Upstream: http://seclists.org/oss-sec/2014/q4/1066
+
+>From 2bae8ecf04ec2ba6bb9f0af5b80485dd0edb427d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer () redhat com>
+Date: Mon, 17 Nov 2014 12:48:25 +0100
+Subject: [PATCH 3/4] fio.c: Unconditionally require wordexp support
+
+---
+ fio.c | 67 +++++--------------------------------------------------------------
+ 1 file changed, 5 insertions(+), 62 deletions(-)
+
+diff --git a/fio.c b/fio.c
+index 65e8f10..1529236 100644
+--- fio.c
++++ fio.c
+@@ -43,12 +43,15 @@ static char sccsid[] = "@(#)fio.c 2.76 (gritter) 9/16/09";
+ #endif /* not lint */
+
+ #include "rcv.h"
++
++#ifndef HAVE_WORDEXP
++#error wordexp support is required
++#endif
++
+ #include <sys/stat.h>
+ #include <sys/file.h>
+ #include <sys/wait.h>
+-#ifdef HAVE_WORDEXP
+ #include <wordexp.h>
+-#endif /* HAVE_WORDEXP */
+ #include <unistd.h>
+
+ #if defined (USE_NSS)
+@@ -481,7 +484,6 @@ next:
+ static char *
+ globname(char *name)
+ {
+-#ifdef HAVE_WORDEXP
+ wordexp_t we;
+ char *cp;
+ sigset_t nset;
+@@ -527,65 +529,6 @@ globname(char *name)
+ }
+ wordfree(&we);
+ return cp;
+-#else /* !HAVE_WORDEXP */
+- char xname[PATHSIZE];
+- char cmdbuf[PATHSIZE]; /* also used for file names */
+- int pid, l;
+- char *cp, *shell;
+- int pivec[2];
+- extern int wait_status;
+- struct stat sbuf;
+-
+- if (pipe(pivec) < 0) {
+- perror("pipe");
+- return name;
+- }
+- snprintf(cmdbuf, sizeof cmdbuf, "echo %s", name);
+- if ((shell = value("SHELL")) == NULL)
+- shell = SHELL;
+- pid = start_command(shell, 0, -1, pivec[1], "-c", cmdbuf, NULL);
+- if (pid < 0) {
+- close(pivec[0]);
+- close(pivec[1]);
+- return NULL;
+- }
+- close(pivec[1]);
+-again:
+- l = read(pivec[0], xname, sizeof xname);
+- if (l < 0) {
+- if (errno == EINTR)
+- goto again;
+- perror("read");
+- close(pivec[0]);
+- return NULL;
+- }
+- close(pivec[0]);
+- if (wait_child(pid) < 0 && WTERMSIG(wait_status) != SIGPIPE) {
+- fprintf(stderr, catgets(catd, CATSET, 81,
+- "\"%s\": Expansion failed.\n"), name);
+- return NULL;
+- }
+- if (l == 0) {
+- fprintf(stderr, catgets(catd, CATSET, 82,
+- "\"%s\": No match.\n"), name);
+- return NULL;
+- }
+- if (l == sizeof xname) {
+- fprintf(stderr, catgets(catd, CATSET, 83,
+- "\"%s\": Expansion buffer overflow.\n"), name);
+- return NULL;
+- }
+- xname[l] = 0;
+- for (cp = &xname[l-1]; *cp == '\n' && cp > xname; cp--)
+-
+- cp[1] = '\0';
+- if (strchr(xname, ' ') && stat(xname, &sbuf) < 0) {
+- fprintf(stderr, catgets(catd, CATSET, 84,
+- "\"%s\": Ambiguous.\n"), name);
+- return NULL;
+- }
+- return savestr(xname);
+-#endif /* !HAVE_WORDEXP */
+ }
+
+ /*
+--
+1.9.3
+
+
</ins></span></pre></div>
<a id="trunkdportsmailmailxfilespatch0004globnameInvokewordexpwithWRDE_NOCMDCVE2004277diff"></a>
<div class="addfile"><h4>Added: trunk/dports/mail/mailx/files/patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff (0 => 129925)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/mail/mailx/files/patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff (rev 0)
+++ trunk/dports/mail/mailx/files/patch-0004-globname-Invoke-wordexp-with-WRDE_NOCMD-CVE-2004-277.diff 2014-12-23 14:05:05 UTC (rev 129925)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+Upstream: http://seclists.org/oss-sec/2014/q4/1066
+
+>From 73fefa0c1ac70043ec84f2d8b8f9f683213f168d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer () redhat com>
+Date: Mon, 17 Nov 2014 13:11:32 +0100
+Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
+
+---
+ fio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fio.c b/fio.c
+index 1529236..774a204 100644
+--- fio.c
++++ fio.c
+@@ -497,7 +497,7 @@ globname(char *name)
+ sigemptyset(&nset);
+ sigaddset(&nset, SIGCHLD);
+ sigprocmask(SIG_BLOCK, &nset, NULL);
+- i = wordexp(name, &we, 0);
++ i = wordexp(name, &we, WRDE_NOCMD);
+ sigprocmask(SIG_UNBLOCK, &nset, NULL);
+ switch (i) {
+ case 0:
+--
+1.9.3
+
+
</ins></span></pre>
</div>
</div>
</body>
</html>