diff options
Diffstat (limited to 'network/opensmtpd/openbsd66-019-smtpd-exec.patch')
-rw-r--r-- | network/opensmtpd/openbsd66-019-smtpd-exec.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/network/opensmtpd/openbsd66-019-smtpd-exec.patch b/network/opensmtpd/openbsd66-019-smtpd-exec.patch new file mode 100644 index 000000000000..93ce19dcb170 --- /dev/null +++ b/network/opensmtpd/openbsd66-019-smtpd-exec.patch @@ -0,0 +1,46 @@ +OpenBSD 6.6 errata 019, January 30, 2020: + +An incorrect check allows an attacker to trick mbox delivery into executing +arbitrary commands as root and lmtp delivery into executing arbitrary commands +as an unprivileged user. + +--- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415 ++++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000 +@@ -2012,24 +2012,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch + memmove(maddr->user, p, strlen(p) + 1); + } + +- if (!valid_localpart(maddr->user) || +- !valid_domainpart(maddr->domain)) { +- /* accept empty return-path in MAIL FROM, required for bounces */ +- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') +- return (1); ++ /* accept empty return-path in MAIL FROM, required for bounces */ ++ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') ++ return (1); + +- /* no user-part, reject */ +- if (maddr->user[0] == '\0') +- return (0); +- +- /* no domain, local user */ +- if (maddr->domain[0] == '\0') { +- (void)strlcpy(maddr->domain, domain, +- sizeof(maddr->domain)); +- return (1); +- } ++ /* no or invalid user-part, reject */ ++ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user)) + return (0); ++ ++ /* no domain part, local user */ ++ if (maddr->domain[0] == '\0') { ++ (void)strlcpy(maddr->domain, domain, ++ sizeof(maddr->domain)); + } ++ ++ if (!valid_domainpart(maddr->domain)) ++ return (0); + + return (1); + } |