By Eduard Kovacs on December 17, 2014 Several Linux distributions are affected by a couple of security holes found in "mailx," a utility that's used for sending and receiving mail.
The vulnerabilities, which have been rated "moderate," are caused by the way mailx handles the parsing of email addresses. A local attacker can use a syntactically valid email address to cause mailx to execute arbitrary shell commands (CVE-2014-7844). An attacker can also execute commands by leveraging the fact that mailx interprets shell meta-characters in certain email addresses (CVE-2004-2771).
The security holes, found in both the BSD mailx and Heirloom mailx implementations, affect Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, and possibly other distros. Patches have already been made available for many of the operating systems and users are advised to update their packages.
Debian has pointed out that CVE-2004-2771 is a historic vulnerability already fixed in Debian's bsd-mailx package. Full Article.
Linux Distributions Affected by Two "mailx" Vulnerabilities
Userlevel 7
+54
Userlevel 7
+54
By Ionut Ilascu 17 Dec 2014
Security impact is moderate, update priority is medium
Two vulnerabilities, affecting the mailx utility for Unix systems, have been addressed by the maintainers of Debian and Red Hat Linux distributions; one of the flaws had been repaired in the BSD mailx implementation on Debian ten years ago, but Heirloom mailx was still impacted.
Separate security advisories for the two operating systems inform that a local attacker could rely on mailx to execute arbitrary commands on the affected system by providing maliciously-formed email addresses.
Mailx, also known as Mail User Agent, is a utility for sending and receiving messages, which is used by several email programs. It is present in multiple Linux distributions.
The issue consists in the fact that the email addresses are not parsed properly, leading to mailx executing arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
Full Article
Security impact is moderate, update priority is medium
Two vulnerabilities, affecting the mailx utility for Unix systems, have been addressed by the maintainers of Debian and Red Hat Linux distributions; one of the flaws had been repaired in the BSD mailx implementation on Debian ten years ago, but Heirloom mailx was still impacted.
Separate security advisories for the two operating systems inform that a local attacker could rely on mailx to execute arbitrary commands on the affected system by providing maliciously-formed email addresses.
Mailx, also known as Mail User Agent, is a utility for sending and receiving messages, which is used by several email programs. It is present in multiple Linux distributions.
One of the problems was discovered in 2004
The issue consists in the fact that the email addresses are not parsed properly, leading to mailx executing arbitrary shell commands through shell meta-characters (CVE-2004-2771) and the direct command execution functionality (CVE-2014-7844).
Full Article
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.