Fix "Vulnerability in Sendmail Delivery Agent code", which allowed

arbitrary code execution. Details at http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd OK ajacoutot@
2011-02-10 01:39:47 +00:00 · 2011-02-10 01:39:47 +00:00 · f07bd47521
commit f07bd47521
parent fa243c7d12
5 changed files with 109 additions and 3 deletions
--- a/mail/ruby-mail/Makefile
+++ b/mail/ruby-mail/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.2 2011/01/06 04:24:24 jeremy Exp $
+# $OpenBSD: Makefile,v 1.3 2011/02/10 01:39:47 jeremy Exp $

 COMMENT=	easy email delivery and testing for ruby

 DISTNAME=	mail-2.2.10
-REVISION =	0
+REVISION =	1
 CATEGORIES=	mail

 # MIT License
--- a/mail/ruby-mail/patches/patch-lib_mail_core_extensions_shellwords_rb
+++ b/mail/ruby-mail/patches/patch-lib_mail_core_extensions_shellwords_rb
@ -0,0 +1,63 @@
+$OpenBSD: patch-lib_mail_core_extensions_shellwords_rb,v 1.1 2011/02/10 01:39:47 jeremy Exp $
+
+Fix for "Vulnerability in Sendmail Delivery Agent code".
+
+--- lib/mail/core_extensions/shellwords.rb.orig	Wed Feb  9 09:21:19 2011
+++ lib/mail/core_extensions/shellwords.rb	Wed Feb  9 09:21:19 2011
+@@ -0,0 +1,55 @@
+# The following is imported from ruby 1.9.2 shellwords.rb
+#
+module Shellwords
+  # Escapes a string so that it can be safely used in a Bourne shell
+  # command line.
+  #
+  # Note that a resulted string should be used unquoted and is not
+  # intended for use in double quotes nor in single quotes.
+  #
+  #   open("| grep #{Shellwords.escape(pattern)} file") { |pipe|
+  #     # ...
+  #   }
+  #
+  # +String#shellescape+ is a shorthand for this function.
+  #
+  #   open("| grep #{pattern.shellescape} file") { |pipe|
+  #     # ...
+  #   }
+  #
+  def shellescape(str)
+    # An empty argument will be skipped, so return empty quotes.
+    return "''" if str.empty?
+
+    str = str.dup
+
+    # Process as a single byte sequence because not all shell
+    # implementations are multibyte aware.
+    str.gsub!(/([^A-Za-z0-9_\-.,:\/@\n])/n, "\\\\\\1")
+
+    # A LF cannot be escaped with a backslash because a backslash + LF
+    # combo is regarded as line continuation and simply ignored.
+    str.gsub!(/\n/, "'\n'")
+
+    return str
+  end
+
+  module_function :shellescape
+
+  class << self
+    alias escape shellescape
+  end
+
+end
+
+class String
+  # call-seq:
+  #   str.shellescape => string
+  #
+  # Escapes +str+ so that it can be safely used in a Bourne shell
+  # command line.  See +Shellwords::shellescape+ for details.
+  #
+  def shellescape
+    Shellwords.escape(self)
+  end
+end
+\ No newline at end of file
--- a/mail/ruby-mail/patches/patch-lib_mail_network_delivery_methods_sendmail_rb
+++ b/mail/ruby-mail/patches/patch-lib_mail_network_delivery_methods_sendmail_rb
@ -0,0 +1,20 @@
+$OpenBSD: patch-lib_mail_network_delivery_methods_sendmail_rb,v 1.1 2011/02/10 01:39:47 jeremy Exp $
+
+Fix for "Vulnerability in Sendmail Delivery Agent code".
+
+--- lib/mail/network/delivery_methods/sendmail.rb.orig	Wed Dec 31 16:00:00 1969
+++ lib/mail/network/delivery_methods/sendmail.rb	Wed Feb  9 09:21:19 2011
+@@ -45,11 +45,11 @@ module Mail
+ 
+     def deliver!(mail)
+       envelope_from = mail.return_path || mail.sender || mail.from_addrs.first
+-      return_path = "-f \"#{envelope_from}\"" if envelope_from
+      return_path = "-f \"#{envelope_from.to_s.shellescape}\"" if envelope_from
+ 
+       arguments = [settings[:arguments], return_path].compact.join(" ")
+       
+-      Sendmail.call(settings[:location], arguments, mail.destinations.join(" "), mail)
+      Sendmail.call(settings[:location], arguments, mail.destinations.collect(&:shellescape).join(" "), mail)
+     end
+     
+     def Sendmail.call(path, arguments, destinations, mail)
--- a/mail/ruby-mail/patches/patch-lib_mail_rb
+++ b/mail/ruby-mail/patches/patch-lib_mail_rb
@ -0,0 +1,22 @@
+$OpenBSD: patch-lib_mail_rb,v 1.1 2011/02/10 01:39:47 jeremy Exp $
+
+Fix for "Vulnerability in Sendmail Delivery Agent code".
+
+--- lib/mail.rb.orig	Wed Dec 31 16:00:00 1969
+++ lib/mail.rb	Wed Feb  9 09:22:07 2011
+@@ -2,6 +2,7 @@
+ module Mail # :doc:
+ 
+   require 'date'
+  require 'shellwords'
+ 
+   require 'active_support'
+   require 'active_support/core_ext/hash/indifferent_access'
+@@ -31,6 +32,7 @@ module Mail # :doc:
+   require 'mail/version'
+ 
+   require 'mail/core_extensions/nil'
+  require 'mail/core_extensions/shellwords' unless String.new.respond_to?(:shellescape)
+   require 'mail/core_extensions/string'
+ 
+   require 'mail/patterns'
--- a/mail/ruby-mail/pkg/PLIST
+++ b/mail/ruby-mail/pkg/PLIST
@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST,v 1.1.1.1 2010/12/08 21:26:43 jeremy Exp $
+@comment $OpenBSD: PLIST,v 1.2 2011/02/10 01:39:47 jeremy Exp $
 ${GEM_LIB}/cache/${DISTNAME}.gem
 ${GEM_LIB}/gems/${DISTNAME}/
 ${GEM_LIB}/gems/${DISTNAME}/CHANGELOG.rdoc
@ -14,6 +14,7 @@ ${GEM_LIB}/gems/${DISTNAME}/lib/mail/body.rb
 ${GEM_LIB}/gems/${DISTNAME}/lib/mail/configuration.rb
 ${GEM_LIB}/gems/${DISTNAME}/lib/mail/core_extensions/
 ${GEM_LIB}/gems/${DISTNAME}/lib/mail/core_extensions/nil.rb
+${GEM_LIB}/gems/${DISTNAME}/lib/mail/core_extensions/shellwords.rb
 ${GEM_LIB}/gems/${DISTNAME}/lib/mail/core_extensions/string.rb
 ${GEM_LIB}/gems/${DISTNAME}/lib/mail/elements/
 ${GEM_LIB}/gems/${DISTNAME}/lib/mail/elements.rb