Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: opendkim@packages.debian.org Control: affects -1 + src:opendkim (The same as #1056732, this time targeting oldstable) After sponsoring the maintainer David Bürgin I've offered them to tackle s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285) Before the upload, stable and sid were at the same version, namely 2.11.0~beta2-8, so the patch could been applied as is, without changes needed. Additional changes, not suitable for s-p-u have been dropped. The patch is authored by David Bürgin and they confirm that they have tested the patch and it indeeds fix the issue (quote from #1056285#19): > Hello Tobi, > > > A question to that: Can you elaborate a bit on the testing you have > > done to verify that this patch indeed fixes the vulnerability? > > (Asking, becasue unfortunatly there is not lot of information available > > e.g from the upstream issue and upstream seems to be generally very > > silent… > I developed the upstream patch, and so did do the necessary testing > locally. You can simply prepare a crafted message containing some > Authentication-Results headers and then see if the right ones get > deleted. (I've uploaded the package to the s-p-u queue already.) debdiff attached.
diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog
--- opendkim-2.11.0~beta2/debian/changelog 2020-10-12 15:15:30.000000000 +0200
+++ opendkim-2.11.0~beta2/debian/changelog 2023-12-01 19:17:01.000000000 +0100
@@ -1,3 +1,13 @@
+opendkim (2.11.0~beta2-4+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+
+ [ David Bürgin ]
+ * Add patch "rev-ares-deletion.patch" for CVE-2022-48521:
+ Delete Authentication-Results headers in reverse (Closes: #1041107).
+
+ -- Tobias Frost <tobi@debian.org> Fri, 01 Dec 2023 19:17:01 +0100
+
opendkim (2.11.0~beta2-4) unstable; urgency=medium
* Update debhelper-compat to compatibility level 13.
diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch
--- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 1970-01-01 01:00:00.000000000 +0100
+++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 2023-12-01 19:11:21.000000000 +0100
@@ -0,0 +1,33 @@
+Description: Delete Authentication-Results headers in reverse (CVE-2022-48521)
+Author: David Bürgin <dbuergin@gluet.ch>
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189
+
+--- a/opendkim/opendkim.c
++++ b/opendkim/opendkim.c
+@@ -13651,9 +13651,16 @@
+ return SMFIS_TEMPFAIL;
+ }
+
+- c = 0;
++ c = 1;
++
+ for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next)
+ {
++ if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
++ c++;
++ }
++
++ for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev)
++ {
+ memset(ares, '\0', sizeof(struct authres));
+
+ if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
+@@ -13664,7 +13671,7 @@
+ char *slash;
+
+ /* remember index */
+- c++;
++ c--;
+
+ /* parse the header */
+ arstat = ares_parse((u_char *) hdr->hdr_val,
diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series
--- opendkim-2.11.0~beta2/debian/patches/series 2020-07-24 10:48:27.000000000 +0200
+++ opendkim-2.11.0~beta2/debian/patches/series 2023-12-01 19:14:10.000000000 +0100
@@ -4,3 +4,4 @@
fix-miltertest-eom-check-smtpreply.patch
fix-genzone-subdomains.patch
suppress-brackets-syslog.patch
+rev-ares-deletion.patch
Attachment:
signature.asc
Description: PGP signature