net-mail/mailutils: disable escapes in non-interactive mode

unlike other mail(1) implementations, mailutils mail command allowed
escape characters in non-interactive mode, resulting in CVE-2021-32749
in fail2ban package. backport fix for mailutils-3.12

Bug: https://bugs.gentoo.org/802513
Package-Manager: Portage-3.0.20, Repoman-3.0.3
Signed-off-by: Eray Aslan <eras@gentoo.org>

1 files changed, 24 insertions, 0 deletions

diff --git a/net-mail/mailutils/files/mailutils-3.12-disable_escapes.patch b/net-mail/mailutils/files/mailutils-3.12-disable_escapes.patch
new file mode 100644
index 000000000000..073d1b671219
--- /dev/null
+++ b/net-mail/mailutils/files/mailutils-3.12-disable_escapes.patch
@@ -0,0 +1,24 @@
+From 4befcfd015256c568121653038accbd84820198f Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Mon, 19 Jul 2021 11:27:40 +0300
+Subject: mail: disable compose escapes in non-interctive mode.
+
+diff --git a/mail/send.c b/mail/send.c
+index 1bdfe1134..098374dab 100644
+--- a/mail/send.c
++++ b/mail/send.c
+@@ -1324,8 +1324,9 @@ mail_compose_send (compose_env_t *env, int save_to)
+ 
+       if (strcmp (buf, ".") == 0 && mailvar_is_true (mailvar_name_dot))
+ 	done = 1;
+-      else if (mailvar_get (&escape, mailvar_name_escape,
+-			    mailvar_type_string, 0) == 0
++      else if (interactive
++	       && mailvar_get (&escape, mailvar_name_escape,
++			       mailvar_type_string, 0) == 0
+ 	       && buf[0] == escape[0])
+ 	{
+ 	  if (buf[1] == buf[0])
+-- 
+cgit v1.2.1
+