Bug#990027: marked as done (pre-approval unblock: opendmarc/1.4.0~beta1+dfsg-6)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#990027: marked as done (pre-approval unblock: opendmarc/1.4.0~beta1+dfsg-6)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 23 Jun 2021 19:42:04 +0000
Message-id: <[🔎] handler.990027.D990027.162447709631353.ackdone@bugs.debian.org>
Reply-to: 990027@bugs.debian.org
References: <E1lw8hP-0000m4-VG@respighi.debian.org> <[🔎] 20210618080321.GA74963@devrim>

Your message dated Wed, 23 Jun 2021 19:38:11 +0000
with message-id <E1lw8hP-0000m4-VG@respighi.debian.org>
and subject line unblock opendmarc
has caused the Debian Bug report #990027,
regarding pre-approval unblock: opendmarc/1.4.0~beta1+dfsg-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990027
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pre-approval unblock: opendmarc/1.4.0~beta1+dfsg-6
From: David Bürgin <dbuergin@gluet.ch>
Date: Fri, 18 Jun 2021 10:03:21 +0200
Message-id: <[🔎] 20210618080321.GA74963@devrim>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please pre-approve unblock of package opendmarc

Recently several fixes for CVEs in OpenDMARC have landed in bullseye
thanks to unblock request #989324 being granted.

Now reports of crashes have arrived at the upstream bug tracker,
resulting in new CVE-2021-34555. It appears that the fix for
CVE-2019-16378 contains code that can segfault, given certain inputs. An
attacker can crash the current bullseye/sid version at will, so a fix is
urgently needed.

I have created a patch and proposed it upstream and would like to apply
it here as well via sponsorship on debian-mentors, hence this request
for pre-approval.

[ Reason ]
A fix for new CVE-2021-34555 has been proposed upstream.

[ Impact ]
Current opendmarc 1.4.0~beta1+dfsg-5 can be trivially crashed by a third
party leading to denial of service outage.

[ Tests ]
Reporter at upstream has confirmed the fix works, I also verified it via
manual test.

[ Risks ]
Upstream is not active, but they might prefer a different fix when they
come back.

[ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

unblock opendmarc/1.4.0~beta1+dfsg-6

diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog opendmarc-1.4.0~beta1+dfsg/debian/changelog
--- opendmarc-1.4.0~beta1+dfsg/debian/changelog	2021-06-02 14:17:33.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/changelog	2021-06-18 09:37:57.000000000 +0200
@@ -1,3 +1,10 @@
+opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high
+
+  * Add patch for CVE-2021-34555 from upstream issue tracker:
+    - Do not dereference NULL in multi-value From headers (Closes: #990001)
+
+ -- David Bürgin <dbuergin@gluet.ch>  Fri, 18 Jun 2021 09:37:57 +0200
+
 opendmarc (1.4.0~beta1+dfsg-5) unstable; urgency=high
 
   * Amend cve-2020-12272.patch to keep libopendmarc2 public ABI unchanged
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch	1970-01-01 01:00:00.000000000 +0100
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch	2021-06-15 16:36:43.000000000 +0200
@@ -0,0 +1,38 @@
+Description: CVE-2021-34555: Fix multi-value From rejection logic
+Author: David Bürgin <dbuergin@gluet.ch>
+Bug: https://github.com/trusteddomainproject/OpenDMARC/pull/178
+
+--- a/opendmarc/opendmarc.c
++++ b/opendmarc/opendmarc.c
+@@ -2517,17 +2517,22 @@
+ 
+ 		for (c = 1; users[c] != NULL; c++)
+ 		{
+-			if (strcasecmp(domains[0], domains[c]) != 0)
++			if (domains[0] != NULL
++			    && domains[c] != NULL
++			    && strcasecmp(domains[0], domains[c]) != 0)
+ 			{
+-				syslog(LOG_ERR,
+-				       "%s: multi-valued From field detected",
+-				       dfc->mctx_jobid);
+-			}
++				if (conf->conf_dolog)
++				{
++					syslog(LOG_ERR,
++					       "%s: multi-valued From field detected",
++					       dfc->mctx_jobid);
++				}
+ 
+-			if (conf->conf_reject_multi_from)
+-				return SMFIS_REJECT;
+-			else
+-				return SMFIS_ACCEPT;
++				if (conf->conf_reject_multi_from)
++					return SMFIS_REJECT;
++				else
++					return SMFIS_ACCEPT;
++			}
+ 		}
+ 
+ 		user = users[0];
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/series opendmarc-1.4.0~beta1+dfsg/debian/patches/series
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/series	2021-06-02 12:14:59.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/series	2021-06-15 16:23:10.000000000 +0200
@@ -12,3 +12,4 @@
 cve-2019-16378.patch
 cve-2020-12272.patch
 cve-2019-20790.patch
+cve-2021-34555.patch

--- End Message ---

--- Begin Message ---

To: 990027-done@bugs.debian.org

Subject: unblock opendmarc

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Wed, 23 Jun 2021 19:38:11 +0000

Message-id: <E1lw8hP-0000m4-VG@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#990027: pre-approval unblock: opendmarc/1.4.0~beta1+dfsg-6
  - From: David Bürgin <dbuergin@gluet.ch>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#990027: Bug#990176: RFS: opendmarc/1.4.0~beta1+dfsg-6 -- Milter implementation of DMARC
Next by thread: Bug#990030: unblock: otrs2/6.0.32-5
Index(es):
- Date
- Thread