aboutsummaryrefslogtreecommitdiff
path: root/network
diff options
context:
space:
mode:
authorRichard Narron <richard@aaazen.com>2020-02-27 21:59:00 +0700
committerWilly Sudiarto Raharjo <willysr@slackbuilds.org>2020-02-27 21:59:17 +0700
commit6f2d9aaed4a337be83c4febb26fb39be006b9a11 (patch)
tree0a9b7599bccf08d341e86c76e6e808b95ca79d32 /network
parent71b1427e3fc882796fe1c7955e49f83bbe6b990b (diff)
network/opensmtpd: Fix security issue.
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
Diffstat (limited to 'network')
-rw-r--r--network/opensmtpd/openbsd65-031-smtpd-envelope.patch199
-rw-r--r--network/opensmtpd/opensmtpd.SlackBuild5
2 files changed, 203 insertions, 1 deletions
diff --git a/network/opensmtpd/openbsd65-031-smtpd-envelope.patch b/network/opensmtpd/openbsd65-031-smtpd-envelope.patch
new file mode 100644
index 0000000000000..cd59f1d6fa74b
--- /dev/null
+++ b/network/opensmtpd/openbsd65-031-smtpd-envelope.patch
@@ -0,0 +1,199 @@
+OpenBSD 6.5 errata 031, February 24, 2020:
+
+An out of bounds read in smtpd allows an attacker to inject arbitrary
+commands into the envelope file which are then executed as root.
+Separately, missing privilege revocation in smtpctl allows arbitrary
+commands to be run with the _smtpq group.
+
+--- a/smtpd/makemap.c.orig 2018-01-10 05:06:40.000000000 -0800
++++ b/smtpd/makemap.c 2020-02-24 15:41:18.278340410 -0800
+@@ -105,8 +105,13 @@ makemap(int prog_mode, int argc, char *a
+ int ch, dbputs = 0, Uflag = 0;
+ DBTYPE dbtype = DB_HASH;
+ char *p;
++ gid_t gid;
+ int fd = -1;
+
++ gid = getgid();
++ if (setresgid(gid, gid, gid) == -1)
++ err(1, "setresgid");
++
+ log_init(1, LOG_MAIL);
+
+ mode = prog_mode;
+@@ -180,9 +185,9 @@ makemap(int prog_mode, int argc, char *a
+ errx(1, "database name too long");
+ }
+
+- execlp("makemap", "makemap", "-d", argv[0], "-o", dbname, "-",
+- (char *)NULL);
+- err(1, "execlp");
++ execl(PATH_MAKEMAP, "makemap", "-d", argv[0], "-o", dbname,
++ "-", (char *)NULL);
++ err(1, "execl");
+ }
+
+ if (mode == P_NEWALIASES) {
+--- a/smtpd/mta_session.c.orig 2020-02-08 10:24:17.692029666 -0800
++++ b/smtpd/mta_session.c 2020-02-24 15:46:46.121342818 -0800
+@@ -1214,7 +1214,7 @@ mta_io(struct io *io, int evt, void *arg
+ if (cont) {
+ if (s->replybuf[0] == '\0')
+ (void)strlcat(s->replybuf, line, sizeof s->replybuf);
+- else {
++ else if (len > 4) {
+ line = line + 4;
+ if (isdigit((int)*line) && *(line + 1) == '.' &&
+ isdigit((int)*line+2) && *(line + 3) == '.' &&
+@@ -1229,7 +1229,9 @@ mta_io(struct io *io, int evt, void *arg
+ /* last line of a reply, check if we're on a continuation to parse out status and ESC.
+ * if we overflow reply buffer or are not on continuation, log entire last line.
+ */
+- if (s->replybuf[0] != '\0') {
++ if (s->replybuf[0] == '\0')
++ (void)strlcat(s->replybuf, line, sizeof s->replybuf);
++ else if (len > 4) {
+ p = line + 4;
+ if (isdigit((int)*p) && *(p + 1) == '.' &&
+ isdigit((int)*p+2) && *(p + 3) == '.' &&
+@@ -1238,8 +1240,6 @@ mta_io(struct io *io, int evt, void *arg
+ if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf)
+ (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
+ }
+- else
+- (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
+
+ if (s->state == MTA_QUIT) {
+ log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu",
+--- a/smtpd/smtpctl.c.orig 2018-01-10 05:06:40.000000000 -0800
++++ b/smtpd/smtpctl.c 2020-02-24 14:57:04.687320914 -0800
+@@ -1116,7 +1116,7 @@ sendmail_compat(int argc, char **argv)
+ */
+ for (i = 1; i < argc; i++)
+ if (strncmp(argv[i], "-bi", 3) == 0)
+- exit(makemap(P_NEWALIASES, argc, argv));
++ exit(makemap(P_SENDMAIL, argc, argv));
+
+ if (!srv_connect())
+ offlinefp = offline_file();
+--- a/smtpd/smtpd-defines.h.orig 2018-01-10 05:06:40.000000000 -0800
++++ b/smtpd/smtpd-defines.h 2020-02-24 15:00:29.616322420 -0800
+@@ -46,6 +46,9 @@
+ #ifndef PATH_SPOOL
+ #define PATH_SPOOL "/var/spool/smtpd"
+ #endif
++#ifndef PATH_MAKEUP
++#define PATH_MAKEMAP "/usr/sbin/makemap"
++#endif
+
+ #define SUBADDRESSING_DELIMITER "+"
+
+--- a/smtpd/smtpd.c.orig 2018-01-10 05:06:40.000000000 -0800
++++ b/smtpd/smtpd.c 2020-02-24 15:55:55.503346854 -0800
+@@ -109,9 +109,10 @@ static struct mproc *setup_peer(enum smt
+ static int imsg_wait(struct imsgbuf *, struct imsg *, int);
+
+ static void offline_scan(int, short, void *);
+-static int offline_add(char *);
++static int offline_add(char *, uid_t, gid_t);
+ static void offline_done(void);
+-static int offline_enqueue(char *);
++static int offline_enqueue(char *, uid_t, gid_t);
++
+
+ static void purge_task(void);
+ static int parent_auth_user(const char *, const char *);
+@@ -136,6 +137,8 @@ struct child {
+
+ struct offline {
+ TAILQ_ENTRY(offline) entry;
++ uid_t uid;
++ gid_t gid;
+ char *path;
+ };
+
+@@ -1409,7 +1412,8 @@ offline_scan(int fd, short ev, void *arg
+ continue;
+ }
+
+- if (offline_add(e->fts_name)) {
++ if (offline_add(e->fts_name, e->fts_statp->st_uid,
++ e->fts_statp->st_gid)) {
+ log_warnx("warn: smtpd: "
+ "could not add offline message %s", e->fts_name);
+ continue;
+@@ -1429,7 +1433,7 @@ offline_scan(int fd, short ev, void *arg
+ }
+
+ static int
+-offline_enqueue(char *name)
++offline_enqueue(char *name, uid_t uid, gid_t gid)
+ {
+ char *path;
+ struct stat sb;
+@@ -1491,6 +1495,18 @@ offline_enqueue(char *name)
+ _exit(1);
+ }
+
++ if (sb.st_uid != uid) {
++ log_warnx("warn: smtpd: file %s has bad uid %d",
++ path, sb.st_uid);
++ _exit(1);
++ }
++
++ if (sb.st_gid != gid) {
++ log_warnx("warn: smtpd: file %s has bad gid %d",
++ path, sb.st_gid);
++ _exit(1);
++ }
++
+ pw = getpwuid(sb.st_uid);
+ if (pw == NULL) {
+ log_warnx("warn: smtpd: getpwuid for uid %d failed",
+@@ -1547,17 +1563,19 @@ offline_enqueue(char *name)
+ }
+
+ static int
+-offline_add(char *path)
++offline_add(char *path, uid_t uid, gid_t gid)
+ {
+ struct offline *q;
+
+ if (offline_running < OFFLINE_QUEUEMAX)
+ /* skip queue */
+- return offline_enqueue(path);
++ return offline_enqueue(path, uid, gid);
+
+ q = malloc(sizeof(*q) + strlen(path) + 1);
+ if (q == NULL)
+ return (-1);
++ q->uid = uid;
++ q->gid = gid;
+ q->path = (char *)q + sizeof(*q);
+ memmove(q->path, path, strlen(path) + 1);
+ TAILQ_INSERT_TAIL(&offline_q, q, entry);
+@@ -1576,7 +1594,8 @@ offline_done(void)
+ if ((q = TAILQ_FIRST(&offline_q)) == NULL)
+ break; /* all done */
+ TAILQ_REMOVE(&offline_q, q, entry);
+- offline_enqueue(q->path);
++ offline_enqueue(q->path, q->uid, q->gid);
++
+ free(q);
+ }
+ }
+--- a/smtpd/smtpd.h.orig 2018-01-10 05:06:40.000000000 -0800
++++ b/smtpd/smtpd.h 2020-02-24 15:20:09.043331085 -0800
+@@ -128,8 +128,10 @@
+ #define MTA_EXT_DSN 0x400
+
+
+-#define P_NEWALIASES 0
+-#define P_MAKEMAP 1
++#define P_SENDMAIL 0
++#define P_NEWALIASES 1
++#define P_MAKEMAP 2
++
+
+ struct userinfo {
+ char username[SMTPD_VUSERNAME_SIZE];
diff --git a/network/opensmtpd/opensmtpd.SlackBuild b/network/opensmtpd/opensmtpd.SlackBuild
index 052a1fcf03733..54a4f8e4cf9ad 100644
--- a/network/opensmtpd/opensmtpd.SlackBuild
+++ b/network/opensmtpd/opensmtpd.SlackBuild
@@ -25,7 +25,7 @@
PRGNAM=opensmtpd
VERSION=${VERSION:-6.0.3p1}
-BUILD=${BUILD:-5}
+BUILD=${BUILD:-6}
TAG=${TAG:-_SBo}
if [ -z "$ARCH" ]; then
@@ -104,6 +104,9 @@ cat $CWD/openbsd66-019-smtpd-exec.patch | patch -p1
# check null from crypt function
cat $CWD/fix-crash-on-authentication.patch | patch -p1
+# fix smtpctl envelop
+cat $CWD/openbsd65-031-smtpd-envelope.patch | patch -p1
+
CFLAGS="$SLKCFLAGS -D_DEFAULT_SOURCE" \
CXXFLAGS="$SLKCFLAGS" \
./configure \