Control: tags -1 confirmed moreinfo
On 2021-06-18 10:03:21 +0200, David Bürgin wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please pre-approve unblock of package opendmarc
>
> Recently several fixes for CVEs in OpenDMARC have landed in bullseye
> thanks to unblock request #989324 being granted.
>
> Now reports of crashes have arrived at the upstream bug tracker,
> resulting in new CVE-2021-34555. It appears that the fix for
> CVE-2019-16378 contains code that can segfault, given certain inputs. An
> attacker can crash the current bullseye/sid version at will, so a fix is
> urgently needed.
>
> I have created a patch and proposed it upstream and would like to apply
> it here as well via sponsorship on debian-mentors, hence this request
> for pre-approval.
>
> [ Reason ]
> A fix for new CVE-2021-34555 has been proposed upstream.
>
> [ Impact ]
> Current opendmarc 1.4.0~beta1+dfsg-5 can be trivially crashed by a third
> party leading to denial of service outage.
>
> [ Tests ]
> Reporter at upstream has confirmed the fix works, I also verified it via
> manual test.
>
> [ Risks ]
> Upstream is not active, but they might prefer a different fix when they
> come back.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> unblock opendmarc/1.4.0~beta1+dfsg-6
ACK, please remove the moreinfo tag once the new version is available in
usntable.
Cheers
> diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog opendmarc-1.4.0~beta1+dfsg/debian/changelog
> --- opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-02 14:17:33.000000000 +0200
> +++ opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-18 09:37:57.000000000 +0200
> @@ -1,3 +1,10 @@
> +opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high
> +
> + * Add patch for CVE-2021-34555 from upstream issue tracker:
> + - Do not dereference NULL in multi-value From headers (Closes: #990001)
> +
> + -- David Bürgin <dbuergin@gluet.ch> Fri, 18 Jun 2021 09:37:57 +0200
> +
> opendmarc (1.4.0~beta1+dfsg-5) unstable; urgency=high
>
> * Amend cve-2020-12272.patch to keep libopendmarc2 public ABI unchanged
> diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch
> --- opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch 1970-01-01 01:00:00.000000000 +0100
> +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch 2021-06-15 16:36:43.000000000 +0200
> @@ -0,0 +1,38 @@
> +Description: CVE-2021-34555: Fix multi-value From rejection logic
> +Author: David Bürgin <dbuergin@gluet.ch>
> +Bug: https://github.com/trusteddomainproject/OpenDMARC/pull/178
> +
> +--- a/opendmarc/opendmarc.c
> ++++ b/opendmarc/opendmarc.c
> +@@ -2517,17 +2517,22 @@
> +
> + for (c = 1; users[c] != NULL; c++)
> + {
> +- if (strcasecmp(domains[0], domains[c]) != 0)
> ++ if (domains[0] != NULL
> ++ && domains[c] != NULL
> ++ && strcasecmp(domains[0], domains[c]) != 0)
> + {
> +- syslog(LOG_ERR,
> +- "%s: multi-valued From field detected",
> +- dfc->mctx_jobid);
> +- }
> ++ if (conf->conf_dolog)
> ++ {
> ++ syslog(LOG_ERR,
> ++ "%s: multi-valued From field detected",
> ++ dfc->mctx_jobid);
> ++ }
> +
> +- if (conf->conf_reject_multi_from)
> +- return SMFIS_REJECT;
> +- else
> +- return SMFIS_ACCEPT;
> ++ if (conf->conf_reject_multi_from)
> ++ return SMFIS_REJECT;
> ++ else
> ++ return SMFIS_ACCEPT;
> ++ }
> + }
> +
> + user = users[0];
> diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/series opendmarc-1.4.0~beta1+dfsg/debian/patches/series
> --- opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-02 12:14:59.000000000 +0200
> +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-15 16:23:10.000000000 +0200
> @@ -12,3 +12,4 @@
> cve-2019-16378.patch
> cve-2020-12272.patch
> cve-2019-20790.patch
> +cve-2021-34555.patch
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature