Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please pre-approve unblock of package opendmarc Recently several fixes for CVEs in OpenDMARC have landed in bullseye thanks to unblock request #989324 being granted. Now reports of crashes have arrived at the upstream bug tracker, resulting in new CVE-2021-34555. It appears that the fix for CVE-2019-16378 contains code that can segfault, given certain inputs. An attacker can crash the current bullseye/sid version at will, so a fix is urgently needed. I have created a patch and proposed it upstream and would like to apply it here as well via sponsorship on debian-mentors, hence this request for pre-approval. [ Reason ] A fix for new CVE-2021-34555 has been proposed upstream. [ Impact ] Current opendmarc 1.4.0~beta1+dfsg-5 can be trivially crashed by a third party leading to denial of service outage. [ Tests ] Reporter at upstream has confirmed the fix works, I also verified it via manual test. [ Risks ] Upstream is not active, but they might prefer a different fix when they come back. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock opendmarc/1.4.0~beta1+dfsg-6
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog opendmarc-1.4.0~beta1+dfsg/debian/changelog --- opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-02 14:17:33.000000000 +0200 +++ opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-18 09:37:57.000000000 +0200 @@ -1,3 +1,10 @@ +opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high + + * Add patch for CVE-2021-34555 from upstream issue tracker: + - Do not dereference NULL in multi-value From headers (Closes: #990001) + + -- David Bürgin <dbuer...@gluet.ch> Fri, 18 Jun 2021 09:37:57 +0200 + opendmarc (1.4.0~beta1+dfsg-5) unstable; urgency=high * Amend cve-2020-12272.patch to keep libopendmarc2 public ABI unchanged diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch --- opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch 1970-01-01 01:00:00.000000000 +0100 +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch 2021-06-15 16:36:43.000000000 +0200 @@ -0,0 +1,38 @@ +Description: CVE-2021-34555: Fix multi-value From rejection logic +Author: David Bürgin <dbuer...@gluet.ch> +Bug: https://github.com/trusteddomainproject/OpenDMARC/pull/178 + +--- a/opendmarc/opendmarc.c ++++ b/opendmarc/opendmarc.c +@@ -2517,17 +2517,22 @@ + + for (c = 1; users[c] != NULL; c++) + { +- if (strcasecmp(domains[0], domains[c]) != 0) ++ if (domains[0] != NULL ++ && domains[c] != NULL ++ && strcasecmp(domains[0], domains[c]) != 0) + { +- syslog(LOG_ERR, +- "%s: multi-valued From field detected", +- dfc->mctx_jobid); +- } ++ if (conf->conf_dolog) ++ { ++ syslog(LOG_ERR, ++ "%s: multi-valued From field detected", ++ dfc->mctx_jobid); ++ } + +- if (conf->conf_reject_multi_from) +- return SMFIS_REJECT; +- else +- return SMFIS_ACCEPT; ++ if (conf->conf_reject_multi_from) ++ return SMFIS_REJECT; ++ else ++ return SMFIS_ACCEPT; ++ } + } + + user = users[0]; diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/series opendmarc-1.4.0~beta1+dfsg/debian/patches/series --- opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-02 12:14:59.000000000 +0200 +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-15 16:23:10.000000000 +0200 @@ -12,3 +12,4 @@ cve-2019-16378.patch cve-2020-12272.patch cve-2019-20790.patch +cve-2021-34555.patch