diff -Nru bsd-mailx-8.1.2-0.20111106cvs/debian/changelog bsd-mailx-8.1.2-0.20111106cvs/debian/changelog
--- bsd-mailx-8.1.2-0.20111106cvs/debian/changelog	2011-11-20 22:39:16.000000000 +0000
+++ bsd-mailx-8.1.2-0.20111106cvs/debian/changelog	2015-01-05 16:40:45.000000000 +0000
@@ -1,3 +1,15 @@
+bsd-mailx (8.1.2-0.20111106cvs-1ubuntu0.1) precise-security; urgency=medium
+
+  * SECURITY UPDATE: shell command injection
+    - Apply OpenBSD patches from Todd Miller (taken from Debian update):
+      + 80-remove_T.patch (remove undocumented/obsolete -T option)
+      + 81-minus_f.patch (adjust -f processing)
+      + 82-expandaddr.patch (fix CVE-2014-7844)
+      + 83-nosendmail.patch (make -- work for option parsing suppression)
+    - CVE-2014-7844
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 05 Jan 2015 11:40:44 -0500
+
 bsd-mailx (8.1.2-0.20111106cvs-1) unstable; urgency=low
 
   * New upstream version from OpenBSD CVS repository.
diff -Nru bsd-mailx-8.1.2-0.20111106cvs/debian/control bsd-mailx-8.1.2-0.20111106cvs/debian/control
--- bsd-mailx-8.1.2-0.20111106cvs/debian/control	2011-11-20 22:39:16.000000000 +0000
+++ bsd-mailx-8.1.2-0.20111106cvs/debian/control	2015-01-05 16:40:58.000000000 +0000
@@ -1,7 +1,8 @@
 Source: bsd-mailx
 Section: mail
 Priority: standard
-Maintainer: Robert Luberda <robert@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Robert Luberda <robert@debian.org>
 Standards-Version: 3.9.2
 Build-Depends: debhelper (>= 8.9.8),
                groff,
diff -Nru bsd-mailx-8.1.2-0.20111106cvs/debian/patches/80-remove_T.patch bsd-mailx-8.1.2-0.20111106cvs/debian/patches/80-remove_T.patch
--- bsd-mailx-8.1.2-0.20111106cvs/debian/patches/80-remove_T.patch	1970-01-01 00:00:00.000000000 +0000
+++ bsd-mailx-8.1.2-0.20111106cvs/debian/patches/80-remove_T.patch	2015-01-05 16:39:04.000000000 +0000
@@ -0,0 +1,131 @@
+Remove undocumented and obsolete -T option.  It was intended for
+use with old netnews.
+
+Index: bsd-mailx-8.1.2-0.20111106cvs/glob.h
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/glob.h	2015-01-05 11:39:00.136339604 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/glob.h	2015-01-05 11:39:00.132339587 -0500
+@@ -40,7 +40,6 @@
+ int	msgCount;			/* Count of messages read in */
+ int	rcvmode;			/* True if receiving mail */
+ int	sawcom;				/* Set after first command */
+-char	*Tflag;				/* -T temp file for netnews */
+ int	senderr;			/* An error while checking */
+ int	edit;				/* Indicates editing a file */
+ int	readonly;			/* Will be unable to rewrite file */
+Index: bsd-mailx-8.1.2-0.20111106cvs/main.c
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/main.c	2015-01-05 11:39:00.136339604 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/main.c	2015-01-05 11:39:00.132339587 -0500
+@@ -115,18 +115,8 @@
+ 	subject = NULL;
+ 	header = NULL;
+ 	replyto = NULL;
+-	while ((i = getopt(argc, argv, "EINT:a:b:c:defins:u:v")) != -1) {
++	while ((i = getopt(argc, argv, "EIN:a:b:c:defins:u:v")) != -1) {
+ 		switch (i) {
+-		case 'T':
+-			/*
+-			 * Next argument is temp file to write which
+-			 * articles have been read/deleted for netnews.
+-			 */
+-			Tflag = optarg;
+-			if ((i = creat(Tflag, 0600)) < 0)
+-				err(1, "%s", Tflag);
+-			(void)close(i);
+-			break;
+ 		case 'u':
+ 			/*
+ 			 * Next argument is person to pretend to be.
+Index: bsd-mailx-8.1.2-0.20111106cvs/quit.c
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/quit.c	2015-01-05 11:39:00.136339604 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/quit.c	2015-01-05 11:39:00.132339587 -0500
+@@ -64,7 +64,7 @@
+ quit(void)
+ {
+ 	int mcount, p, modify, autohold, anystat, holdbit, nohold;
+-	FILE *ibuf = NULL, *obuf, *fbuf, *rbuf, *readstat = NULL, *abuf;
++	FILE *ibuf = NULL, *obuf, *fbuf, *rbuf, *abuf;
+ 	struct message *mp;
+ 	int c, fd;
+ 	struct stat minfo;
+@@ -154,10 +154,6 @@
+ 			mp->m_flag |= holdbit;
+ 	}
+ 	modify = 0;
+-	if (Tflag != NULL) {
+-		if ((readstat = Fopen(Tflag, "w")) == NULL)
+-			Tflag = NULL;
+-	}
+ 	for (c = 0, p = 0, mp = &message[0]; mp < &message[msgCount]; mp++) {
+ 		if (mp->m_flag & MBOX)
+ 			c++;
+@@ -165,15 +161,7 @@
+ 			p++;
+ 		if (mp->m_flag & MODIFY)
+ 			modify++;
+-		if (Tflag != NULL && (mp->m_flag & (MREAD|MDELETED)) != 0) {
+-			char *id;
+-
+-			if ((id = hfield("article-id", mp)) != NULL)
+-				fprintf(readstat, "%s\n", id);
+-		}
+ 	}
+-	if (Tflag != NULL)
+-		(void)Fclose(readstat);
+ 	if (p == msgCount && !modify && !anystat) {
+ 		printf("Held %d message%s in %s\n",
+ 			p, p == 1 ? "" : "s", mailname);
+@@ -399,17 +387,13 @@
+ {
+ 	int gotcha, c;
+ 	struct message *mp;
+-	FILE *obuf, *ibuf, *readstat = NULL;
++	FILE *obuf, *ibuf;
+ 	struct stat statb;
+ 	char tempname[PATHSIZE];
+ 
+ 	if (readonly)
+ 		return(0);
+ 	holdsigs();
+-	if (Tflag != NULL) {
+-		if ((readstat = Fopen(Tflag, "w")) == NULL)
+-			Tflag = NULL;
+-	}
+ 	for (mp = &message[0], gotcha = 0; mp < &message[msgCount]; mp++) {
+ 		if (mp->m_flag & MNEW) {
+ 			mp->m_flag &= ~MNEW;
+@@ -417,16 +401,8 @@
+ 		}
+ 		if (mp->m_flag & (MODIFY|MDELETED|MSTATUS))
+ 			gotcha++;
+-		if (Tflag != NULL && (mp->m_flag & (MREAD|MDELETED)) != 0) {
+-			char *id;
+-
+-			if ((id = hfield("article-id", mp)) != NULL)
+-				fprintf(readstat, "%s\n", id);
+-		}
+ 	}
+-	if (Tflag != NULL)
+-		(void)Fclose(readstat);
+-	if (!gotcha || Tflag != NULL)
++	if (!gotcha)
+ 		goto done;
+ 	ibuf = NULL;
+ 	if (stat(mailname, &statb) >= 0 && statb.st_size > mailsize) {
+Index: bsd-mailx-8.1.2-0.20111106cvs/mail.1
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/mail.1	2015-01-05 11:39:00.136339604 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/mail.1	2015-01-05 11:39:00.132339587 -0500
+@@ -1195,10 +1195,6 @@
+ .%T "Mail Reference Manual"
+ originally written by Kurt Shoens.
+ .Sh BUGS
+-There are some flags that are not documented here.
+-Most are
+-not useful to the general user.
+-.Pp
+ Usually,
+ .Nm Mail
+ and
diff -Nru bsd-mailx-8.1.2-0.20111106cvs/debian/patches/81-minus_f.patch bsd-mailx-8.1.2-0.20111106cvs/debian/patches/81-minus_f.patch
--- bsd-mailx-8.1.2-0.20111106cvs/debian/patches/81-minus_f.patch	1970-01-01 00:00:00.000000000 +0000
+++ bsd-mailx-8.1.2-0.20111106cvs/debian/patches/81-minus_f.patch	2015-01-05 16:40:13.000000000 +0000
@@ -0,0 +1,85 @@
+The handling of the -f option is a hack.  Instead of fooling around
+with argv behind getopt()'s back we can just treat the remainder
+of argv[] after option processing as the file name for -f.  It is
+not possible to use -f in sending mode so there is no ambiguity.
+
+Index: bsd-mailx-8.1.2-0.20111106cvs/main.c
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/main.c	2015-01-05 11:39:25.752450048 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/main.c	2015-01-05 11:40:04.976623047 -0500
+@@ -172,16 +172,10 @@
+ 			/*
+ 			 * User is specifying file to "edit" with Mail,
+ 			 * as opposed to reading system mailbox.
+-			 * If no argument is given after -f, we read his
+-			 * mbox file.
+-			 *
+-			 * getopt() can't handle optional arguments, so here
+-			 * is an ugly hack to get around it.
+-			 */
+-			if ((argv[optind]) && (argv[optind][0] != '-'))
+-				ef = argv[optind++];
+-			else
+-				ef = "&";
++			 * We read his mbox file unless another file
++			 * is specified after the arguments.
++			 */
++			ef = "&";
+ 			break;
+ 		case 'n':
+ 			/*
+@@ -231,17 +225,24 @@
+ 			/*NOTREACHED*/
+ 		}
+ 	}
+-	for (i = optind; (argv[i]) && (*argv[i] != '-'); i++)
+-		to = cat(to, nalloc(argv[i], GTO));
+-	for (; argv[i]; i++)
+-		smopts = cat(smopts, nalloc(argv[i], 0));
++	if (ef != NULL) {
++		/* Check for optional mailbox file name. */
++		if (optind < argc) {
++			ef = argv[optind++];
++			if (optind < argc)
++			    errx(1, "Cannot give -f and people to send to");
++		}
++	} else {
++		for (i = optind; (argv[i]) && (*argv[i] != '-'); i++)
++			to = cat(to, nalloc(argv[i], GTO));
++		for (; argv[i]; i++)
++			smopts = cat(smopts, nalloc(argv[i], 0));
++	}
+ 	/*
+ 	 * Check for inconsistent arguments.
+ 	 */
+ 	if (to == NULL && (subject != NULL || cc != NULL || bcc != NULL))
+ 		errx(1, "You must specify direct recipients with -s, -c, or -b");
+-	if (ef != NULL && to != NULL)
+-		errx(1, "Cannot give -f and people to send to");
+ 	/*
+ 	 * Block SIGINT except where we install an explicit handler for it.
+ 	 */
+Index: bsd-mailx-8.1.2-0.20111106cvs/mail.1
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/mail.1	2015-01-05 11:39:25.752450048 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/mail.1	2015-01-05 11:39:25.716449891 -0500
+@@ -85,11 +85,14 @@
+ .Nm mail .
+ .It Fl E
+ Don't send messages with an empty body.
+-.It Fl f Op Ar file
+-Read in the contents of your mailbox
+-(or the specified
+-.Ar file )
+-for processing; when you quit,
++.It Fl f
++Use an alternate mailbox.
++Defaults to the user's
++.Ar mbox
++if no
++.Ar file
++is specified.
++When quit,
+ .Nm mail
+ writes undeleted messages back to this
+ .Ar file .
diff -Nru bsd-mailx-8.1.2-0.20111106cvs/debian/patches/82-expandaddr.patch bsd-mailx-8.1.2-0.20111106cvs/debian/patches/82-expandaddr.patch
--- bsd-mailx-8.1.2-0.20111106cvs/debian/patches/82-expandaddr.patch	1970-01-01 00:00:00.000000000 +0000
+++ bsd-mailx-8.1.2-0.20111106cvs/debian/patches/82-expandaddr.patch	2015-01-05 16:40:31.000000000 +0000
@@ -0,0 +1,69 @@
+Add new "expandaddr" flag (disabled by default) to enable recipient
+address expansion and document it.
+
+Index: bsd-mailx-8.1.2-0.20111106cvs/mail.1
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/mail.1	2015-01-05 11:40:28.480728933 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/mail.1	2015-01-05 11:40:28.476728915 -0500
+@@ -296,6 +296,47 @@
+ but any reply returned to the machine will have the system wide
+ alias expanded as all mail goes through
+ .Xr sendmail .
++.Ss Recipient address specifications
++Recipient addresses (any of the
++.Dq To ,
++.Dq Cc
++or
++.Dq Bcc
++header fields) are subject to expansion when the
++.Ic expandaddr
++option is set.
++.Pp
++An address may be expanded as follows:
++.Bl -bullet -width Ds
++.It
++An address that starts with a pipe
++.Pq Ql |
++character is treated as a command to run.
++The command immediately following the
++.Ql |
++is executed with the message as its standard input.
++.It
++An address that starts with a
++.Ql +
++character is treated as a folder.
++.It
++An address that contains a
++.Ql /
++character but no
++.Ql \&! ,
++.Ql % ,
++or
++.Ql @
++characters is also treated as a folder.
++.It
++If none of the above apply, the recipient is treated as
++a local or network mail address.
++.El
++.Pp
++If the
++.Ic expandaddr
++option is not set (the default), no expansion is performed and
++the recipient is treated as a local or network mail address.
+ .Ss Network mail (ARPA, UUCP, Berknet)
+ See
+ .Xr mailaddr 7
+Index: bsd-mailx-8.1.2-0.20111106cvs/names.c
+===================================================================
+--- bsd-mailx-8.1.2-0.20111106cvs.orig/names.c	2015-01-05 11:40:28.480728933 -0500
++++ bsd-mailx-8.1.2-0.20111106cvs/names.c	2015-01-05 11:40:28.476728915 -0500
+@@ -212,6 +212,9 @@
+ 	char *date, *fname;
+ 	FILE *fout, *fin;
+ 
++	if (value("expandaddr") == NULL)
++		return(names);
++
+ 	top = names;
+ 	np = names;
+ 	(void)time(&now);
diff -Nru bsd-mailx-8.1.2-0.20111106cvs/debian/patches/83-nosendmail.patch bsd-mailx-8.1.2-0.20111106cvs/debian/patches/83-nosendmail.patch
--- bsd-mailx-8.1.2-0.20111106cvs/debian/patches/83-nosendmail.patch	1970-01-01 00:00:00.000000000 +0000
+++ bsd-mailx-8.1.2-0.20111106cvs/debian/patches/83-nosendmail.patch	2015-01-05 16:40:38.000000000 +0000
@@ -0,0 +1,41 @@
+Don't pass options after the to address to sendmail.  The only
+legitiate use of this is to set the sender name which should be
+handled specifically by a different option.
+
+Index: git/main.c
+===================================================================
+--- git.orig/main.c	2014-12-15 21:00:56.406154475 +0100
++++ git/main.c	2014-12-15 21:01:05.378354729 +0100
+@@ -233,10 +233,8 @@
+ 			    errx(1, "Cannot give -f and people to send to");
+ 		}
+ 	} else {
+-		for (i = optind; (argv[i]) && (*argv[i] != '-'); i++)
++		for (i = optind; argv[i]; i++)
+ 			to = cat(to, nalloc(argv[i], GTO));
+-		for (; argv[i]; i++)
+-			smopts = cat(smopts, nalloc(argv[i], 0));
+ 	}
+ 	/*
+ 	 * Check for inconsistent arguments.
+@@ -338,8 +336,6 @@
+ 
+ 	fprintf(stderr, "usage: %s [-dEIinv] [-a header] [-b bcc-addr] [-c cc-addr] "
+ 	    "[-s subject] to-addr ...\n", __progname);
+-	fprintf(stderr, "       %*s [-- sendmail-options ...]\n",
+-	    (int)strlen(__progname), "");
+ 	fprintf(stderr, "       %s [-dEIiNnv] -f [name]\n", __progname);
+ 	fprintf(stderr, "       %s [-dEIiNnv] [-u user]\n", __progname);
+ 	exit(1);
+Index: git/mail.1
+===================================================================
+--- git.orig/mail.1	2014-12-15 21:01:00.110237170 +0100
++++ git/mail.1	2014-12-15 21:01:05.378354729 +0100
+@@ -46,7 +46,6 @@
+ .Op Fl c Ar cc-addr
+ .Op Fl s Ar subject
+ .Ar to-addr ...
+-.Op Fl - Ar sendmail-options ...
+ .Ek
+ .Nm mail
+ .Op Fl dEIiNnv
diff -Nru bsd-mailx-8.1.2-0.20111106cvs/debian/patches/series bsd-mailx-8.1.2-0.20111106cvs/debian/patches/series
--- bsd-mailx-8.1.2-0.20111106cvs/debian/patches/series	2011-11-20 22:39:16.000000000 +0000
+++ bsd-mailx-8.1.2-0.20111106cvs/debian/patches/series	2015-01-05 16:40:38.000000000 +0000
@@ -23,3 +23,7 @@
 22-Replace-newlines-with-spaces.patch
 23-Treat-new-line-only-messages-as-empty-ones.patch
 24-False-cant-send-email-errors.patch
+80-remove_T.patch
+81-minus_f.patch
+82-expandaddr.patch
+83-nosendmail.patch