5481 CVE-2012-1750 mailx(1) tilde expansion vulnerability

5482 CVE-2014-7844, CVE-2004-2771 - more mailx(1) woes
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Approved by: Dan McDonald <danmcd@omniti.com>

5 files changed, 38 insertions, 40 deletions

diff --git a/usr/src/cmd/mailx/fio.c b/usr/src/cmd/mailx/fio.c
index 59eceb519f..53907ca760 100644
--- a/usr/src/cmd/mailx/fio.c
+++ b/usr/src/cmd/mailx/fio.c
@@ -757,7 +757,7 @@ expand(char *name)
 		if (debug) fprintf(stderr, "%s\n", name);
 		return (name);
 	}
-	if (wordexp(name, &wrdexp_buf, 0) != 0) {
+	if (wordexp(name, &wrdexp_buf, WRDE_NOCMD) != 0) {
 		fprintf(stderr, gettext("Syntax error in \"%s\"\n"), name);
 		fflush(stderr);
 		return (NOSTR);
diff --git a/usr/src/cmd/mailx/main.c b/usr/src/cmd/mailx/main.c
index 35448ecf7c..0271552bea 100644
--- a/usr/src/cmd/mailx/main.c
+++ b/usr/src/cmd/mailx/main.c
@@ -37,8 +37,6 @@
  * contributors.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include "rcv.h"
 #ifndef preSVr4
 #include <locale.h>
@@ -104,7 +102,6 @@ main(int argc, char **argv)
 	progname = argv[0];
 	if (progname[strlen(progname) - 1] != 'x') {
 		assign("bsdcompat", "");
-		assign("escapeok", "");		/* XXX */
 	}
 	myegid = getegid();
 	myrgid = getgid();
diff --git a/usr/src/cmd/mailx/misc/mailx.rc b/usr/src/cmd/mailx/misc/mailx.rc
index d10391f433..a6dfa46fb2 100644
--- a/usr/src/cmd/mailx/misc/mailx.rc
+++ b/usr/src/cmd/mailx/misc/mailx.rc
@@ -21,8 +21,6 @@
 # Copyright 2000 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # The following 3 settings produce the familiar Solaris behavior.
 set appenddeadletter
 unset pipeignore
@@ -44,8 +42,6 @@ else
 	set LISTER="ls -LF"
 	# default is to allow editing of message windows
 	set editmessagewindow
-	# have to allow ~ escapes even though not using tty
-	set escapeok
 endif
 
 # most mail headers are uninteresting to most people.  here we ignore all
diff --git a/usr/src/cmd/mailx/names.c b/usr/src/cmd/mailx/names.c
index 7616630f79..886eb2dbc5 100644
--- a/usr/src/cmd/mailx/names.c
+++ b/usr/src/cmd/mailx/names.c
@@ -191,7 +191,7 @@ outpre(struct name *to)
 /*
  * For each recipient in the passed name list with a /
  * in the name, append the message to the end of the named file
- * and remove him from the recipient list.
+ * and remove them from the recipient list.
  *
  * Recipients whose name begins with | are piped through the given
  * program and removed.
@@ -212,6 +212,9 @@ outof(struct name *names, FILE *fo)
 	char line[BUFSIZ];
 #endif
 
+	if (value("expandaddr") == NOSTR)
+		return (nout);
+
 	for (np = names; np != NIL; np = np->n_flink) {
 		if (!isfileaddr(np->n_name) && np->n_name[0] != '|')
 			continue;
@@ -599,14 +602,15 @@ unpack(struct name *np)
 		panic("No names to unpack");
 
 	/*
-	 * Compute the number of extra arguments we will need.
-	 * We need at least 2 extra -- one for "mail" and one for
-	 * the terminating 0 pointer.
-	 * Additional spots may be needed to pass along -r and -f to
-	 * the host mailer.
+	 * Compute the number of extra arguments we will need.  We need at least
+	 * 3 extra -- one for "mail", one for a terminating -- to stop sendmail
+	 * option processing, and one for the terminating 0 pointer.
+	 *
+	 * Additional spots may be needed to pass along -r and -f to the host
+	 * mailer.
 	 */
 
-	extra = 2;
+	extra = 3;
 
 	if (rflag != NOSTR)
 		extra += 2;
@@ -636,6 +640,7 @@ unpack(struct name *np)
 		snprintf(hbuf, sizeof (hbuf), "%d", hflag);
 		*ap++ = savestr(hbuf);
 	}
+	*ap++ = "--";
 	while (n != NIL) {
 		if (n->n_type & GDEL) {
 			n = n->n_flink;
diff --git a/usr/src/man/man1/mailx.1 b/usr/src/man/man1/mailx.1
index 671f628c66..cf0cf48337 100644
--- a/usr/src/man/man1/mailx.1
+++ b/usr/src/man/man1/mailx.1
@@ -9,7 +9,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH MAILX 1 "Sep 19, 2001"
+.TH MAILX 1 "Dec 18, 2014"
 .SH NAME
 mailx \- interactive message processing system
 .SH SYNOPSIS
@@ -36,7 +36,6 @@ mailx \- interactive message processing system
 .fi
 
 .SH DESCRIPTION
-.sp
 .LP
 The mail utilities listed above provide a comfortable, flexible environment for
 sending and receiving mail messages electronically.
@@ -64,7 +63,6 @@ the secondary file can then be read or otherwise processed using the same
 \fBCommands\fR as in the primary \fBmailbox\fR. This gives rise within these
 pages to the notion of a current \fBmailbox\fR.
 .SH OPTIONS
-.sp
 .LP
 On the command line options start with a dash (\(mi). Any other arguments are
 taken to be destinations (recipients). If no recipients are specified,
@@ -294,7 +292,6 @@ Interpret tilde escapes in the input even if not reading from a tty.
 .RE
 
 .SH OPERANDS
-.sp
 .LP
 The following operands are supported:
 .sp
@@ -308,7 +305,6 @@ Addressee of message.
 
 .SH USAGE
 .SS "Starting Mail"
-.sp
 .LP
 At startup time, \fBmailx\fR executes the system startup file
 \fB/etc/mail/mailx.rc\fR. If invoked as \fBmail\fR or \fBMail\fR, the system
@@ -380,7 +376,6 @@ temporary file. Commands may be entered by beginning a line with the tilde (~)
 escape character followed by a single command letter and optional arguments.
 See \fBTilde Escapes\fR for a summary of these commands.
 .SS "Reading Mail"
-.sp
 .LP
 Each message is assigned a sequential number, and there is at any time the
 notion of a current message, marked by a right angle bracket (>) in the header
@@ -544,21 +539,24 @@ command involved. Filenames, where expected, are expanded using the normal
 shell conventions (see \fBsh\fR(1)). Special characters are recognized by
 certain commands and are documented with the commands below.
 .SS "Sending Mail"
-.sp
 .LP
 Recipients listed on the command line may be of three types: login names, shell
 commands, or alias groups. Login names may be any network address, including
 mixed network addressing. If mail is found to be undeliverable, an attempt is
-made to return it to the sender's \fBmailbox\fR. If the recipient name begins
-with a pipe symbol ( | ), the rest of the name is taken to be a shell command
-to pipe the message through. This provides an automatic interface with any
-program that reads the standard input, such as \fBlp\fR(1) for recording
-outgoing mail on paper. Alias groups are set by the \fBa\fRlias command (see
-\fBCommands\fR below) or in a system startup file (for example,
-\fB$HOME/.mailrc\fR). Aliases are lists of recipients of any type.
-.SS "Forwarding Mail"
+made to return it to the sender's \fBmailbox\fR. If the \fBexpandaddr\fR option
+is not set (the default), then the following rules do not apply and the name of
+the recipient must be a local mailbox or network address. If the recipient name
+begins with a pipe symbol ( | ), the rest of the name is taken to be a shell
+command to pipe the message through. This provides an automatic interface with
+any program that reads the standard input, such as \fBlp\fR(1) for recording
+outgoing mail on paper.
 .sp
 .LP
+Alias groups are set by the \fBa\fRlias command (see \fBCommands\fR below) or in
+a system startup file (for example, \fB$HOME/.mailrc\fR). Aliases are lists of
+recipients of any type.
+.SS "Forwarding Mail"
+.LP
 To forward a specific message, include it in a message to the desired
 recipients with the \fB~f\fR or \fB~m\fR tilde escapes. See \fBTilde\fR
 \fBEscapes\fR below. To forward mail automatically, add a comma-separated list
@@ -569,7 +567,6 @@ must be valid, or the messages will "bounce." You cannot, for instance, reroute
 your mail to a new host by forwarding it to your new address if it is not yet
 listed in the \fBNIS\fR aliases domain.
 .SS "Commands"
-.sp
 .LP
 Regular commands are of the form
 .sp
@@ -768,6 +765,18 @@ ENVIRONMENT VARIABLES). Default editor is \fBed\fR(1).
 .sp
 .ne 2
 .na
+\fB\fBexpandaddr\fR\fR
+.ad
+.sp .6
+.RS 4n
+Causes recipient addresses to be expanded based on the discussion in the section
+\fBSending Mail\fR. Note that enabling this option allows for addresses that can
+cause arbitrary command execution by starting with the \fB|\fR character.
+.RE
+
+.sp
+.ne 2
+.na
 \fB\fBex\fRit\fR
 .ad
 .br
@@ -1621,7 +1630,6 @@ Variables\fR).
 .RE
 
 .SS "Tilde Escapes"
-.sp
 .LP
 The following tilde escape commands can be used when composing mail to send.
 These may be entered only from \fIinput mode\fR, by beginning a line with the
@@ -1905,7 +1913,6 @@ replaces the message.
 .RE
 
 .SS "Internal Variables"
-.sp
 .LP
 The following variables are internal variables. They may be imported from the
 execution environment or set using the \fBse\fRt command at any time. The
@@ -2539,12 +2546,10 @@ the message is not sent.
 .RE
 
 .SS "Large File Behavior"
-.sp
 .LP
 See \fBlargefile\fR(5) for the description of the behavior of \fBmailx\fR when
 encountering files greater than or equal to 2 Gbyte ( 2^31 bytes).
 .SH ENVIRONMENT VARIABLES
-.sp
 .LP
 See \fBenviron\fR(5) for descriptions of the following environment variables
 that affect the execution of \fBmailx\fR: \fBHOME\fR, \fBLANG\fR,
@@ -2661,7 +2666,6 @@ The name of a preferred screen editor.  Default is \fBvi\fR(1).
 .RE
 
 .SH EXIT STATUS
-.sp
 .LP
 When the \fB-e\fR option is specified, the following exit values are returned:
 .sp
@@ -2706,7 +2710,6 @@ An error occurred
 .RE
 
 .SH FILES
-.sp
 .ne 2
 .na
 \fB\fB$HOME/.mailrc\fR\fR
@@ -2788,7 +2791,6 @@ post office directory
 .RE
 
 .SH ATTRIBUTES
-.sp
 .LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
@@ -2804,7 +2806,6 @@ Interface Stability	Standard
 .TE
 
 .SH SEE ALSO
-.sp
 .LP
 \fBbiff\fR(1B), \fBecho\fR(1), \fBed\fR(1), \fBex\fR(1), \fBfmt\fR(1),
 \fBlp\fR(1), \fBls\fR(1), \fBmail\fR(1), \fBmail\fR(1B), \fBmailcompat\fR(1),
@@ -2813,7 +2814,6 @@ Interface Stability	Standard
 \fBpasswd\fR(4), \fBattributes\fR(5), \fBenviron\fR(5), \fBlargefile\fR(5),
 \fBstandards\fR(5)
 .SH NOTES
-.sp
 .LP
 Where \fIshell-command\fR is shown as valid, arguments are not always allowed.
 Experimentation is recommended.