Control: tags -1 confirmed moreinfo On 2021-06-18 10:03:21 +0200, David Bürgin wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please pre-approve unblock of package opendmarc > > Recently several fixes for CVEs in OpenDMARC have landed in bullseye > thanks to unblock request #989324 being granted. > > Now reports of crashes have arrived at the upstream bug tracker, > resulting in new CVE-2021-34555. It appears that the fix for > CVE-2019-16378 contains code that can segfault, given certain inputs. An > attacker can crash the current bullseye/sid version at will, so a fix is > urgently needed. > > I have created a patch and proposed it upstream and would like to apply > it here as well via sponsorship on debian-mentors, hence this request > for pre-approval. > > [ Reason ] > A fix for new CVE-2021-34555 has been proposed upstream. > > [ Impact ] > Current opendmarc 1.4.0~beta1+dfsg-5 can be trivially crashed by a third > party leading to denial of service outage. > > [ Tests ] > Reporter at upstream has confirmed the fix works, I also verified it via > manual test. > > [ Risks ] > Upstream is not active, but they might prefer a different fix when they > come back. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > unblock opendmarc/1.4.0~beta1+dfsg-6
ACK, please remove the moreinfo tag once the new version is available in usntable. Cheers > diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog > opendmarc-1.4.0~beta1+dfsg/debian/changelog > --- opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-02 > 14:17:33.000000000 +0200 > +++ opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-18 > 09:37:57.000000000 +0200 > @@ -1,3 +1,10 @@ > +opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high > + > + * Add patch for CVE-2021-34555 from upstream issue tracker: > + - Do not dereference NULL in multi-value From headers (Closes: #990001) > + > + -- David Bürgin <dbuer...@gluet.ch> Fri, 18 Jun 2021 09:37:57 +0200 > + > opendmarc (1.4.0~beta1+dfsg-5) unstable; urgency=high > > * Amend cve-2020-12272.patch to keep libopendmarc2 public ABI unchanged > diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch > opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch > --- opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/cve-2021-34555.patch > 2021-06-15 16:36:43.000000000 +0200 > @@ -0,0 +1,38 @@ > +Description: CVE-2021-34555: Fix multi-value From rejection logic > +Author: David Bürgin <dbuer...@gluet.ch> > +Bug: https://github.com/trusteddomainproject/OpenDMARC/pull/178 > + > +--- a/opendmarc/opendmarc.c > ++++ b/opendmarc/opendmarc.c > +@@ -2517,17 +2517,22 @@ > + > + for (c = 1; users[c] != NULL; c++) > + { > +- if (strcasecmp(domains[0], domains[c]) != 0) > ++ if (domains[0] != NULL > ++ && domains[c] != NULL > ++ && strcasecmp(domains[0], domains[c]) != 0) > + { > +- syslog(LOG_ERR, > +- "%s: multi-valued From field detected", > +- dfc->mctx_jobid); > +- } > ++ if (conf->conf_dolog) > ++ { > ++ syslog(LOG_ERR, > ++ "%s: multi-valued From field > detected", > ++ dfc->mctx_jobid); > ++ } > + > +- if (conf->conf_reject_multi_from) > +- return SMFIS_REJECT; > +- else > +- return SMFIS_ACCEPT; > ++ if (conf->conf_reject_multi_from) > ++ return SMFIS_REJECT; > ++ else > ++ return SMFIS_ACCEPT; > ++ } > + } > + > + user = users[0]; > diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/series > opendmarc-1.4.0~beta1+dfsg/debian/patches/series > --- opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-02 > 12:14:59.000000000 +0200 > +++ opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-15 > 16:23:10.000000000 +0200 > @@ -12,3 +12,4 @@ > cve-2019-16378.patch > cve-2020-12272.patch > cve-2019-20790.patch > +cve-2021-34555.patch -- Sebastian Ramacher
signature.asc
Description: PGP signature