unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Critical opensmtpd vulnerability
@ 2020-01-29 18:11 Tobias Geerinckx-Rice
  2020-01-31  5:14 ` 宋文武
  0 siblings, 1 reply; 2+ messages in thread
From: Tobias Geerinckx-Rice @ 2020-01-29 18:11 UTC (permalink / raw)
  To: Guix-devel

[-- Attachment #1: Type: text/plain, Size: 2347 bytes --]

Fellow Guix running opensmtpd mail servers,

As you probably know by now, a serious remote code execution bug 
was recently found and fixed in OpenSMTPd[0].

TL;DR: You should probably stop your opensmtpd daemon until you've 
checked that our regular opensmtpd package (6.0.3p1) is not 
vulnerable.  If possible, switch to opensmtpd-next and adapt your 
configuration syntax:

    (service opensmtpd-service-type
         (opensmtpd-configuration
          (package opensmtpd-next)
          (config-file (plain-file "smtpd.conf"
                       "include 
                       \"/etc/guix/mail/my-new-smtpd.conf\"\n"))))

Here some stuff I typed before I ran out of time and got on a bus… 
now.

~~~

The issue has been fixed in opensmtpd 6.6.2p1.  I updated our 
‘opensmtpd-next’ package last night (about 18 hours ago, or 1 hour 
after the vulnerability was announced).  If you use opensmtpd-next 
and haven't updated yet, now is the time to do so, as well as the 
time to subscribe to misc at opensmtpd.org.

However!  Guix's opensmtpd-service-type still uses the much older 
‘opensmtpd’ package, which is still at 6.0.x, because 
opensmtpd-next introduced a new and incompatible smtpd.conf 
grammar change.

According to [0], the bug was introduced together with this new 
grammar[1].  It's possible that opensmtpd 6.0.x is not affected.

However, I had a quick look at the 6.0.3p1 sources and 
smtpd/smtp_session.c's

    if (!valid_localpart(maddr->user) ||
        !valid_domainpart(maddr->domain)) {
        /* accept empty return-path in MAIL FROM, required for 
        bounces */
        if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] 
        == '\0')
            return (1);

        /* no user-part, reject */
        if (maddr->user[0] == '\0')
            return (0);

        /* no domain, local user */
        if (maddr->domain[0] == '\0') {
            (void)strlcpy(maddr->domain, domain,
                sizeof(maddr->domain));
            return (1);
        }
        return (0);
    }

    return (1);

looks pretty damn similar to the logic described here[0].

Kind regards,

T G-R

[0]: https://seclists.org/oss-sec/2020/q1/40
[1]: 
https://www.pf4sh.eu/git/openbsd/src/commit/a8e222352fecfb8aeaf32faf9d0df59b96a447d0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Critical opensmtpd vulnerability
  2020-01-29 18:11 Critical opensmtpd vulnerability Tobias Geerinckx-Rice
@ 2020-01-31  5:14 ` 宋文武
  0 siblings, 0 replies; 2+ messages in thread
From: 宋文武 @ 2020-01-31  5:14 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: Guix-devel

Tobias Geerinckx-Rice <me@tobias.gr> writes:

> Fellow Guix running opensmtpd mail servers,
>
> As you probably know by now, a serious remote code execution bug was
> recently found and fixed in OpenSMTPd[0].
>
> TL;DR: You should probably stop your opensmtpd daemon until you've
> checked that our regular opensmtpd package (6.0.3p1) is not
> vulnerable.  If possible, switch to opensmtpd-next and adapt your
> configuration syntax:
>
>    (service opensmtpd-service-type
>         (opensmtpd-configuration
>          (package opensmtpd-next)
>          (config-file (plain-file "smtpd.conf"
>                       "include
> "/etc/guix/mail/my-new-smtpd.conf"\n"))))
>

I just upgrade my vulnerable opensmtpd 6.6.1p1 to 6.6.2p2, thank you
very much!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-01-31  5:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-29 18:11 Critical opensmtpd vulnerability Tobias Geerinckx-Rice
2020-01-31  5:14 ` 宋文武

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).