Bugzilla – Bug 919737
VUL-1: CVE-2014-9681 procmail: Unsafe handling of TZ environment variable
Last modified: 2017-04-24 12:22:46 UTC
procmail preserves TZ. This can be abused to trick the program to read an arbitrary file.
bugbot adjusting priority
Hmmm .... just tried to reproduce the example in
werner/procmail> echo harry > xyz
werner/procmail> TZ=$PWD/xyz sudo -u root strace -s 256 date 2>&1 | grep harry
... what's going wrong here?
Sidemark: the sudo has not been not fixed on the test systems!
And read https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778341
as well as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772706
IMHO this bug belongs if really is reproducable to glibc!
The same for procmail
cat testmail | TZ=$PWD/xyz strace -o log -s 256 procmail ~/.procmail/test-procmailrc
and there is no xyz in the strace log
date; TZ=$PWD/xyz date; TZ=$PWD/UTC date
Fri Feb 27 09:48:37 CET 2015
Fri Feb 27 08:48:37 /usr/src/werner/procmail/xyz 2015
Fri Feb 27 08:48:37 /usr/src/werner/procmail/UTC 2015
that means the xyz will be interpreted, see without sudo
TZ=$PWD/xyz strace date 2>&1 | grep harry
read(3, "harry\n", 4096) = 6
but as mentioned in the debian bugs, this belongs to glibc.
Also the TZ variable will be passed-through, which is seen by using
in my test-procmailrc
cat testmail | TZ=$PWD/xyz procmail ~werner/.rocmail/test-procmailrc
From firstname.lastname@example.org Fri Feb 20 18:38:03 2015
Subject: [changed] 313774 Display which programs are (partly) swapped
Folder: /var/mail/werner 25749
Btw: It is possible to set the line
or similar in ~/.procmailrc but procmail will be called as filter by the MTA like postfix and sendmail with the uid of the user (procmail is not suid!). That is that even if the user account has been successfully attacked, the question rises how to get the TZ variable into the chain MTA->procmail->program in ~/.procmailrc and why this should be done as if the account has been successfully attacked there is no need to misuse procmail but execute every command with TZ=/tmp/xyz prefixed simply on the users comamnd line.
In other words, the TZ variable can only set by root before starting the MTA to influenve the behaviour of commands in the user ~/.procmailrc files. The users them self can on set the TZ variable in their ~/.procmailrc files. But if a suid program is attackable via glibc then the users can also do this on the command line.
IMHO this bug is INVALID
This candidate was withdrawn by its CNA.