From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Guix-devel <guix-devel@gnu.org>
Subject: Critical opensmtpd vulnerability
Date: Wed, 29 Jan 2020 19:11:09 +0100 [thread overview]
Message-ID: <87a7666sle.fsf@nckx> (raw)
[-- Attachment #1: Type: text/plain, Size: 2347 bytes --]
Fellow Guix running opensmtpd mail servers,
As you probably know by now, a serious remote code execution bug
was recently found and fixed in OpenSMTPd[0].
TL;DR: You should probably stop your opensmtpd daemon until you've
checked that our regular opensmtpd package (6.0.3p1) is not
vulnerable. If possible, switch to opensmtpd-next and adapt your
configuration syntax:
(service opensmtpd-service-type
(opensmtpd-configuration
(package opensmtpd-next)
(config-file (plain-file "smtpd.conf"
"include
\"/etc/guix/mail/my-new-smtpd.conf\"\n"))))
Here some stuff I typed before I ran out of time and got on a bus…
now.
~~~
The issue has been fixed in opensmtpd 6.6.2p1. I updated our
‘opensmtpd-next’ package last night (about 18 hours ago, or 1 hour
after the vulnerability was announced). If you use opensmtpd-next
and haven't updated yet, now is the time to do so, as well as the
time to subscribe to misc at opensmtpd.org.
However! Guix's opensmtpd-service-type still uses the much older
‘opensmtpd’ package, which is still at 6.0.x, because
opensmtpd-next introduced a new and incompatible smtpd.conf
grammar change.
According to [0], the bug was introduced together with this new
grammar[1]. It's possible that opensmtpd 6.0.x is not affected.
However, I had a quick look at the 6.0.3p1 sources and
smtpd/smtp_session.c's
if (!valid_localpart(maddr->user) ||
!valid_domainpart(maddr->domain)) {
/* accept empty return-path in MAIL FROM, required for
bounces */
if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0]
== '\0')
return (1);
/* no user-part, reject */
if (maddr->user[0] == '\0')
return (0);
/* no domain, local user */
if (maddr->domain[0] == '\0') {
(void)strlcpy(maddr->domain, domain,
sizeof(maddr->domain));
return (1);
}
return (0);
}
return (1);
looks pretty damn similar to the logic described here[0].
Kind regards,
T G-R
[0]: https://seclists.org/oss-sec/2020/q1/40
[1]:
https://www.pf4sh.eu/git/openbsd/src/commit/a8e222352fecfb8aeaf32faf9d0df59b96a447d0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next reply other threads:[~2020-01-29 18:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-29 18:11 Tobias Geerinckx-Rice [this message]
2020-01-31 5:14 ` Critical opensmtpd vulnerability 宋文武
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a7666sle.fsf@nckx \
--to=me@tobias.gr \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).