Re: [courier-users] Bash shell security issue - CVE-2014-6271
Brought to you by:
mrsam
Menu
▾
▴
Re: [courier-users] Bash shell security issue - CVE-2014-6271
|
From: Sam V. <mr...@co...> - 2014-09-25 23:08:07
|
Wolfgang Jeltsch writes: > Hi, > > thank you very much for this information. > > Has there been any new insight into how Courier is affected by this bug? > Can the bug be exploited via ways other than default files? > > And is Courier affected by the “follow-up” CVE-2014-7169? I don't think the follow-up exploit is in scope. To use the follow-up explot, so far, you need to somehow stuff the ">" character into an email address. This is going to be a problem, since the > character terminates the MAIL FROM or the RCPT TO command. So, I'm not worried about it. One way to mitigate the exposure is to set up a custom SHELL for Courier's process environment. If SHELL is set, local mail delivery commands will be executed using this shell, rather than /bin/sh. Testing shows that csh works fine. It's unlikely that most common mail delivery commands will use anything that's bash-specific. To do this, change the SHELL setting in the courierd configuration file to: SHELL=/bin/csh or to any other shell. Of course, you could always have something in your .courier files that uses a bash-ism, and would now be broken, but if that's the case you should already know about it. |
