aboutsummaryrefslogtreecommitdiff
path: root/network/opensmtpd/openbsd66-019-smtpd-exec.patch
diff options
context:
space:
mode:
Diffstat (limited to 'network/opensmtpd/openbsd66-019-smtpd-exec.patch')
-rw-r--r--network/opensmtpd/openbsd66-019-smtpd-exec.patch46
1 files changed, 46 insertions, 0 deletions
diff --git a/network/opensmtpd/openbsd66-019-smtpd-exec.patch b/network/opensmtpd/openbsd66-019-smtpd-exec.patch
new file mode 100644
index 000000000000..93ce19dcb170
--- /dev/null
+++ b/network/opensmtpd/openbsd66-019-smtpd-exec.patch
@@ -0,0 +1,46 @@
+OpenBSD 6.6 errata 019, January 30, 2020:
+
+An incorrect check allows an attacker to trick mbox delivery into executing
+arbitrary commands as root and lmtp delivery into executing arbitrary commands
+as an unprivileged user.
+
+--- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415
++++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000
+@@ -2012,24 +2012,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch
+ memmove(maddr->user, p, strlen(p) + 1);
+ }
+
+- if (!valid_localpart(maddr->user) ||
+- !valid_domainpart(maddr->domain)) {
+- /* accept empty return-path in MAIL FROM, required for bounces */
+- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
+- return (1);
++ /* accept empty return-path in MAIL FROM, required for bounces */
++ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
++ return (1);
+
+- /* no user-part, reject */
+- if (maddr->user[0] == '\0')
+- return (0);
+-
+- /* no domain, local user */
+- if (maddr->domain[0] == '\0') {
+- (void)strlcpy(maddr->domain, domain,
+- sizeof(maddr->domain));
+- return (1);
+- }
++ /* no or invalid user-part, reject */
++ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
+ return (0);
++
++ /* no domain part, local user */
++ if (maddr->domain[0] == '\0') {
++ (void)strlcpy(maddr->domain, domain,
++ sizeof(maddr->domain));
+ }
++
++ if (!valid_domainpart(maddr->domain))
++ return (0);
+
+ return (1);
+ }