FS#65322 - [opensmtpd] CVE-2020-7247 remote command execution

Attached to Project: Community Packages
Opened by loqs (loqs) - Wednesday, 29 January 2020, 22:18 GMT
Last edited by Levente Polyak (anthraxx) - Wednesday, 29 January 2020, 23:57 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
smtp_mailaddr in smtp_session.c in opensmtpd 6.6.2, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

[1] Is the fix in opensmtpd. [2] Is the fix in opensmtpd portable release.

Additional info:
* opensmtpd 6.6.2p1-1
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7247
* [1] https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
* [2] https://github.com/OpenSMTPD/OpenSMTPD/commit/2afab2297347342f81fa31a75bbbf7dbee614fda

Steps to reproduce:
This task depends upon

Closed by  Levente Polyak (anthraxx)
Wednesday, 29 January 2020, 23:57 GMT
Reason for closing:  Fixed
Additional comments about closing:  6.6.2p1-1
Comment by Levente Polyak (anthraxx) - Wednesday, 29 January 2020, 22:38 GMT
6.6.2p1-1 contains this fix https://github.com/OpenSMTPD/OpenSMTPD/commit/2d1d2495ff799cea753d5f693196199036f4d52e
Comment by loqs (loqs) - Wednesday, 29 January 2020, 23:55 GMT
Sorry for the noise I checked master not the tag.
Comment by Levente Polyak (anthraxx) - Wednesday, 29 January 2020, 23:56 GMT
Don't worry, when it comes to such critical security issues we better are safe than sorry :)
Thanks for the report!!

Loading...