Bug#990027: pre-approval unblock: opendmarc/1.4.0~beta1+dfsg-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please pre-approve unblock of package opendmarc
Recently several fixes for CVEs in OpenDMARC have landed in bullseye
thanks to unblock request #989324 being granted.
Now reports of crashes have arrived at the upstream bug tracker,
resulting in new CVE-2021-34555. It appears that the fix for
CVE-2019-16378 contains code that can segfault, given certain inputs. An
attacker can crash the current bullseye/sid version at will, so a fix is
urgently needed.
I have created a patch and proposed it upstream and would like to apply
it here as well via sponsorship on debian-mentors, hence this request
for pre-approval.
[ Reason ]
A fix for new CVE-2021-34555 has been proposed upstream.
[ Impact ]
Current opendmarc 1.4.0~beta1+dfsg-5 can be trivially crashed by a third
party leading to denial of service outage.
[ Tests ]
Reporter at upstream has confirmed the fix works, I also verified it via
manual test.
[ Risks ]
Upstream is not active, but they might prefer a different fix when they
come back.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock opendmarc/1.4.0~beta1+dfsg-6
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog opendmarc-1.4.0~beta1+dfsg/debian/changelog
--- opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-02 14:17:33.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-18 09:37:57.000000000 +0200
@@ -1,3 +1,10 @@
+opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high
+
+ * Add patch for CVE-2021-34555 from upstream issue tracker:
+ - Do not dereference NULL in multi-value From headers (Closes: #990001)
+
+ -- David Bürgin <dbuergin@gluet.ch> Fri, 18 Jun 2021 09:37:57 +0200
+
opendmarc (1.4.0~beta1+dfsg-5) unstable; urgency=high
* Amend cve-2020-12272.patch to keep libopendmarc2 public ABI unchanged
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch 1970-01-01 01:00:00.000000000 +0100
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch 2021-06-15 16:36:43.000000000 +0200
@@ -0,0 +1,38 @@
+Description: CVE-2021-34555: Fix multi-value From rejection logic
+Author: David Bürgin <dbuergin@gluet.ch>
+Bug: https://github.com/trusteddomainproject/OpenDMARC/pull/178
+
+--- a/opendmarc/opendmarc.c
++++ b/opendmarc/opendmarc.c
+@@ -2517,17 +2517,22 @@
+
+ for (c = 1; users[c] != NULL; c++)
+ {
+- if (strcasecmp(domains[0], domains[c]) != 0)
++ if (domains[0] != NULL
++ && domains[c] != NULL
++ && strcasecmp(domains[0], domains[c]) != 0)
+ {
+- syslog(LOG_ERR,
+- "%s: multi-valued From field detected",
+- dfc->mctx_jobid);
+- }
++ if (conf->conf_dolog)
++ {
++ syslog(LOG_ERR,
++ "%s: multi-valued From field detected",
++ dfc->mctx_jobid);
++ }
+
+- if (conf->conf_reject_multi_from)
+- return SMFIS_REJECT;
+- else
+- return SMFIS_ACCEPT;
++ if (conf->conf_reject_multi_from)
++ return SMFIS_REJECT;
++ else
++ return SMFIS_ACCEPT;
++ }
+ }
+
+ user = users[0];
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/series opendmarc-1.4.0~beta1+dfsg/debian/patches/series
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-02 12:14:59.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-15 16:23:10.000000000 +0200
@@ -12,3 +12,4 @@
cve-2019-16378.patch
cve-2020-12272.patch
cve-2019-20790.patch
+cve-2021-34555.patch
Reply to: