RUSTSEC-2020-0069

Argument injection in sendmail transport

Issued
Package
lettre (crates.io)
Type
Vulnerability
Categories
  • code-execution
  • file-disclosure
Aliases
Details
https://github.com/lettre/lettre/pull/508/commits/bbe7cc5381c5380b54fb8bbb4f77a3725917ff0b
Patched
  • >=0.10.0-alpha.4
  • <0.10.0-alpha.1, >=0.9.5
  • <0.9.0, >=0.8.4
  • <0.8.0, >=0.7.1
Unaffected
  • <0.7.0
Keywords
  • email
  • sendmail
Affected Functions
Version
lettre::sendmail::SendmailTransport::send
  • <0.10.0-alpha.1
lettre::transport::sendmail::SendmailTransport::send
  • >=0.10.0-alpha.1, <=0.10.0-alpha.3
lettre::transport::sendmail::SendmailTransport::send_raw
  • >=0.10.0-alpha.1, <=0.10.0-alpha.3

Description

Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.

Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features).

The flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses.

NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.

This vulnerability was reported by vin01.

More