Disable escapes to prevent command-injection attacks

[Quinn Comendant]

Hello all,

I recently learned of a vulnerability where an arbitrary command can be 
executed by root if the body of an email passed to `mail` contains unsanitized 
~! or ~| escapes. This vulnerability currently exists when `mail` is used with 
fail2ban, CVE-2021-32749 [1], but may exist with other mailutils integrations.

I searched for a way to disable ~! and ~| escapes in mail, but there doesn't 
seem to be a runtime or build option to do this. I would like to suggest that 
this option be included in the core of mailutils to make it easy for sysadmins 
to secure their networks. I'm not sure how often people use tilde escape 
sequences, but we might even consider disabling them by default.

Gentoo has included a backport patch that disables escapes in non-interactive 
mode in mailutils in their distro [2]. It would be great if something like this 
were included in upstream mailutils. 

In the meantime, I have updated all the scripts I use on my servers to filter 
escapes in message content like this:

    echo "$potentiallyunsafe" | sed 's/~[|!]//g' | mail -s "This is safer" 
user@example.com

This is only a partial fix, because I can only filter content to programs that 
I have control over; ideally I would like to disable escapes for `mail` 
entirely, system-wide.

[1] https://research.securitum.com/fail2ban-remote-code-execution/
[2] https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ba91eed

Regards,
Quinn