From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Critical opensmtpd vulnerability
Date: Wed, 29 Jan 2020 19:11:09 +0100
Message-ID: <87a7666sle.fsf@nckx>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:47121)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <me@tobias.gr>) id 1iwrnz-0003iU-Rr
 for guix-devel@gnu.org; Wed, 29 Jan 2020 13:11:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <me@tobias.gr>) id 1iwrnx-0001xU-Sn
 for guix-devel@gnu.org; Wed, 29 Jan 2020 13:11:11 -0500
Received: from tobias.gr ([2001:470:7405::1]:56594)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <me@tobias.gr>) id 1iwrnx-0001tm-9P
 for guix-devel@gnu.org; Wed, 29 Jan 2020 13:11:09 -0500
Received: by tobias.gr (OpenSMTPD) with ESMTP id 72ed56ce
 for <guix-devel@gnu.org>; Wed, 29 Jan 2020 18:11:06 +0000 (UTC)
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id c678ae7a
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <guix-devel@gnu.org>;
 Wed, 29 Jan 2020 18:11:06 +0000 (UTC)
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org
Sender: "Guix-devel"
 <guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org>
To: Guix-devel <guix-devel@gnu.org>

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Fellow Guix running opensmtpd mail servers,

As you probably know by now, a serious remote code execution bug=20
was recently found and fixed in OpenSMTPd[0].

TL;DR: You should probably stop your opensmtpd daemon until you've=20
checked that our regular opensmtpd package (6.0.3p1) is not=20
vulnerable.  If possible, switch to opensmtpd-next and adapt your=20
configuration syntax:

    (service opensmtpd-service-type
         (opensmtpd-configuration
          (package opensmtpd-next)
          (config-file (plain-file "smtpd.conf"
                       "include=20
                       \"/etc/guix/mail/my-new-smtpd.conf\"\n"))))

Here some stuff I typed before I ran out of time and got on a bus=E2=80=A6=
=20
now.

~~~

The issue has been fixed in opensmtpd 6.6.2p1.  I updated our=20
=E2=80=98opensmtpd-next=E2=80=99 package last night (about 18 hours ago, or=
 1 hour=20
after the vulnerability was announced).  If you use opensmtpd-next=20
and haven't updated yet, now is the time to do so, as well as the=20
time to subscribe to misc at opensmtpd.org.

However!  Guix's opensmtpd-service-type still uses the much older=20
=E2=80=98opensmtpd=E2=80=99 package, which is still at 6.0.x, because=20
opensmtpd-next introduced a new and incompatible smtpd.conf=20
grammar change.

According to [0], the bug was introduced together with this new=20
grammar[1].  It's possible that opensmtpd 6.0.x is not affected.

However, I had a quick look at the 6.0.3p1 sources and=20
smtpd/smtp_session.c's

    if (!valid_localpart(maddr->user) ||
        !valid_domainpart(maddr->domain)) {
        /* accept empty return-path in MAIL FROM, required for=20
        bounces */
        if (mailfrom && maddr->user[0] =3D=3D '\0' && maddr->domain[0]=20
        =3D=3D '\0')
            return (1);

        /* no user-part, reject */
        if (maddr->user[0] =3D=3D '\0')
            return (0);

        /* no domain, local user */
        if (maddr->domain[0] =3D=3D '\0') {
            (void)strlcpy(maddr->domain, domain,
                sizeof(maddr->domain));
            return (1);
        }
        return (0);
    }

    return (1);

looks pretty damn similar to the logic described here[0].

Kind regards,

T G-R

[0]: https://seclists.org/oss-sec/2020/q1/40
[1]:=20
https://www.pf4sh.eu/git/openbsd/src/commit/a8e222352fecfb8aeaf32faf9d0df59=
b96a447d0

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl4xyr0ACgkQ2Imw8BjF
STxWxxAAjGHwQApU2F9qg2HsoYbaPmIN7UUMO/NLxPXDo1OFtweXnqJDbUZogGgl
4/XJRMErt9X/QeAnJRcns/kNwR5ZqLEMQfwSOjUM8ySzCH94kWBr4PVBKDbYRA4v
X08cxi0AYvyBfP0mcLEiJuJj/aaoSj5APT/0+7ZDHqippKTRyo1oyAbZh/BTN1Bt
1V/vST/usC1mf5pxbKxNtCGCr6laXP/QgdMGws1dV4m3BleoQk0jnCar7HhfwF7P
Nvm3yutiIFHmldTeJiwkKHARXXwGzF2jYuIN7Csikxj0J9RQ4uA+dBmLPPTVUzwx
KjKzUnKV1aaHVl5ANzhjECi+TW2XiLJYe9pwzmkk1aLHu2Um6NMRP4XdAu6oMKZW
gFFx0NVMC5P8yXVPZdKPUasGrm5foRbxt9GSO62Ht7n9E37uVDoPnFyxwp2/26GF
UNqFnzUsnPCZOBzvq51Tpbk0dtiz/MXwgaLn1UPoJarIQDjftcBNXabq/pWbt2s2
gkBQbnQ0rIFQhTGQXsu177Ae46lYG2MxCX2C4IZ6xVWLkzKCW7HMnEQZ9dhbSj4Q
qw3PSxXuRkSoibxHZcRLUjHDmg1iJuSCtEjggili+ncR5ehxX51QnL+FPvj7TuFI
uLFQFIdwu8vp2JOxLKFVDQFUddpUKEtXchoosIma3+qnSU+tyIM=
=1BkB
-----END PGP SIGNATURE-----
--=-=-=--