[v2.6] mailx: shell command injection via crafted email addresses (CVE-2004-2771, CVE-2014-7844)
The expand function in fio.c in BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.
Patches and their description are available by the links below.
References:
PATCHES: http://seclists.org/oss-sec/2014/q4/1066
CONFIRM: http://linux.oracle.com/errata/ELSA-2014-1999.html
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771
(from redmine: issue id 3810, created on 2015-01-27, closed on 2017-09-05)
- Relations:
- parent #3809