Debian Bug report logs -
#773417
heirloom-mailx: CVE-2004-2771 CVE-2014-7844
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 18 Dec 2014 07:42:02 UTC
Severity: grave
Tags: security, upstream
Found in version heirloom-mailx/12.4-2
Fixed in versions heirloom-mailx/12.4-2+deb6u1, heirloom-mailx/12.5-2+deb7u1, heirloom-mailx/12.5-3.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#773417; Package src:heirloom-mailx.
(Thu, 18 Dec 2014 07:42:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hilko Bengen <bengen@debian.org>.
(Thu, 18 Dec 2014 07:42:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: heirloom-mailx
Version: 12.4-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 12.5-2+deb7u1
Hi,
the following vulnerabilities were published for heirloom-mailx.
* CVE-2004-2771[0]
* CVE-2014-7844[1]
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2004-2771
[1] https://security-tracker.debian.org/tracker/CVE-2014-7844
Regards,
Salvatore
Marked as fixed in versions heirloom-mailx/12.5-2+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 18 Dec 2014 07:42:07 GMT) (full text, mbox, link).
Marked as fixed in versions heirloom-mailx/12.4-2+deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Dec 2014 07:45:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#773417; Package src:heirloom-mailx.
(Fri, 19 Dec 2014 13:51:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Hilko Bengen <bengen@hilluzination.de>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>.
(Fri, 19 Dec 2014 13:51:11 GMT) (full text, mbox, link).
Message #14 received at 773417@bugs.debian.org (full text, mbox, reply):
* Salvatore Bonaccorso:
> the following vulnerabilities were published for heirloom-mailx.
>
> * CVE-2004-2771[0]
> * CVE-2014-7844[1]
I cannot update the package right now. If somebody wants to do prepare
an NMU for jessie and sid, please do so.
Cheers,
-Hilko
Information forwarded
to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#773417; Package src:heirloom-mailx.
(Sat, 20 Dec 2014 06:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>.
(Sat, 20 Dec 2014 06:21:05 GMT) (full text, mbox, link).
Message #19 received at 773417@bugs.debian.org (full text, mbox, reply):
Hi Hilko,
On Fri, Dec 19, 2014 at 01:46:22PM +0100, Hilko Bengen wrote:
> * Salvatore Bonaccorso:
>
> > the following vulnerabilities were published for heirloom-mailx.
> >
> > * CVE-2004-2771[0]
> > * CVE-2014-7844[1]
>
> I cannot update the package right now. If somebody wants to do prepare
> an NMU for jessie and sid, please do so.
Okay and thanks for the short notice. I can take care of the NMU based
on Florian's patches.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 20 Dec 2014 06:54:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Dec 2014 06:54:05 GMT) (full text, mbox, link).
Message #24 received at 773417-close@bugs.debian.org (full text, mbox, reply):
Source: heirloom-mailx
Source-Version: 12.5-3.1
We believe that the bug you reported is fixed in the latest version of
heirloom-mailx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773417@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated heirloom-mailx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Dec 2014 06:55:53 +0100
Source: heirloom-mailx
Binary: heirloom-mailx
Architecture: source amd64
Version: 12.5-3.1
Distribution: unstable
Urgency: high
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
heirloom-mailx - feature-rich BSD mail(1)
Closes: 773417
Changes:
heirloom-mailx (12.5-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Apply patches from Red Hat (Florian Weimer) to address command
execution issues (Closes: #773417):
+ 0011-outof-Introduce-expandaddr-flag.patch
Disable command execution in email addresses (CVE-2014-7844)
+ 0012-unpack-Disable-option-processing-for-email-addresses.patch
+ 0013-fio.c-Unconditionally-require-wordexp-support.patch
+ 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch (CVE-2004-2771)
Checksums-Sha1:
c9574b4848753333856f81d67802f295d58c91fd 1791 heirloom-mailx_12.5-3.1.dsc
1cffeed1f2ad9b0253a9f619e2a6f9fb8e3e0aba 9068 heirloom-mailx_12.5-3.1.debian.tar.xz
Checksums-Sha256:
cfd2dda2d7f1d4a9c855393e4a7e4ece73bad6768108a6cb33126d6161292c1f 1791 heirloom-mailx_12.5-3.1.dsc
62b73665c1d2815e483df76be116b00e20e2e60c6dc5178542ef13d1ddfc3c68 9068 heirloom-mailx_12.5-3.1.debian.tar.xz
Files:
61886120ea0d22384dc0536794ffaf54 1791 mail optional heirloom-mailx_12.5-3.1.dsc
bc9591c97242d4a95c26a3bea61df969 9068 mail optional heirloom-mailx_12.5-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUlRUgAAoJEAVMuPMTQ89EEwwP/01Kq3GGX8RXSxAlySlbx9Yh
AtNoE61qNDs5594VXhdgZ2f6Hv8G++c4GUEqf4k9JQ8uG2qqWnYQyBTNPupeguYq
0846Dozw0SrAX8vXfQQyG9pewu012IScTsJJUZ0TbT42pL+krRPkd9x32cz49GH7
MWOYYpA6Kqsfmjw+/pTrdkWZ9/T4Ee3r6dVnikJmL8u2Sh/uTbIEKKCSF2OXomhQ
41nM7HDO1uM1CnsyfEf5zy0/vZvnF4n2cltnNTCIhVqrNQATQwAz1IyfaKokDJYO
JLVsZbWZWeQZtPBVTJRVuMJrAZWcRTsJrWJcsuQESD4qGPqsSdOOHrl/DoBztN8Q
SUHDUpwE5iPdrVNi4gxL3UhAeMhibPprgL8OEOhYeEiNNylwHGv9xSopVeAfXmZP
QZccTejjZwZrYWUILs4HYHCc5VtWvvuj1v9TcHjzcBZ46erVxpwYHHdEdg/P6Vd9
M4bPx+MXx8kyirOrTeHpjfQFhMkw7W7E7MwFVOfV6I8qeWvKT2wuwHLJBlaLdgO5
YI4YwJ5L68hgRB4j3Lb/w9ZXZL9+OiUDDnawseabQyFmiZLydFQopJtJTRmQFh6n
USI6BVXsVtnqa45y6NodWNJTQphfFUzpopecPpm1xZ7i5LMLlWmkPLznX6i+j3Xa
FUuW+iXUVwlA4HKT7GZZ
=jAZi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 19 Jan 2015 07:26:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:34:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon