FS#67873 - [security][opendmarc] CVE-2020-12460

Attached to Project: Community Packages
Opened by loqs (loqs) - Saturday, 12 September 2020, 00:17 GMT
Last edited by freswa (frederik) - Sunday, 11 October 2020, 16:41 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Sergej Pupykin (sergej)
Levente Polyak (anthraxx)
Thore Bödecker (foxxx0)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.
This is not fixed in opendmarc 1.3.3-1 as stated by [6]. 1.3.3 upstream tag rel-opendmarc-1-3-3 [1] only removed non-free IETF draft DMARC documentation [2].
It does not address CVE-2020-12460 [3] which was fixed in [4] nor was was it backported locally [5]. You can crosscheck opendmarc/opendmarc_xml.c line 575 is still
bufp = calloc(statb.st_size, 1);
not
bufp = calloc(statb.st_size + 1, 1);

Additional info:
* opendmarc 1.3.3-1
[1] https://github.com/trusteddomainproject/OpenDMARC/releases/tag/rel-opendmarc-1-3-3
[2] https://github.com/trusteddomainproject/OpenDMARC/commits/b0d6408d0859adb336428e3d0bd87749513a9e79
[3] https://github.com/trusteddomainproject/OpenDMARC/issues/64
[4] https://github.com/trusteddomainproject/OpenDMARC/commit/50d28af25d8735504b6103537228ce7f76ad765f
[5] https://github.com/archlinux/svntogit-community/blob/b59051a13600713b4da2d0a4d4c9d5e64b902491/repos/community-x86_64/PKGBUILD
[6] https://security.archlinux.org/AVG-1208
This task depends upon

Closed by  freswa (frederik)
Sunday, 11 October 2020, 16:41 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.3.3-2

Loading...