--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
I would like to propose a stable update for opendmarc.
[ Reason ]
Since releasing the opendmarc version in Debian bullseye, two important
issues affecting it have been reported upstream.
[ Impact ]
1) opendmarc-import is broken in Debian bullseye (regression).
https://github.com/trusteddomainproject/OpenDMARC/issues/189
2) opendmarc crashes when receiving certain ARC-Seal headers.
https://github.com/trusteddomainproject/OpenDMARC/issues/183
[ Tests ]
For issue 1) I have tested the fix with MariaDB on Debian bullseye.
For issue 2) I am using the identical patch in unstable myself.
[ Risks ]
None that I know of, the fixes are small and seem sensible enough.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
See changelog and debdiff.
Please let me upload this update via Debian mentors.
Thank you.
--
David
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/changelog opendmarc-1.4.0~beta1+dfsg/debian/changelog
--- opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-06-18 09:37:57.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/changelog 2021-11-03 16:56:39.000000000 +0100
@@ -1,3 +1,12 @@
+opendmarc (1.4.0~beta1+dfsg-6+deb11u1) stable; urgency=medium
+
+ * Amend patch "ticket193.patch" (Closes: #995694):
+ - Remove unexplained diff that breaks opendmarc-import
+ * Add patch "arcseal-segfaults.patch" (Closes: #995703):
+ - Fix segfaults, increase token max lengths in ARC-Seal headers
+
+ -- David Bürgin <dbuer...@gluet.ch> Wed, 03 Nov 2021 16:56:39 +0100
+
opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high
* Add patch for CVE-2021-34555 from upstream issue tracker:
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch 1970-01-01 01:00:00.000000000 +0100
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/arcseal-segfaults.patch 2021-11-03 14:25:50.000000000 +0100
@@ -0,0 +1,39 @@
+Description: Fix segfaults, increase token max lengths in ARC-Seal headers
+Origin: other, https://github.com/trusteddomainproject/OpenDMARC/files/6717466/opendmarc-arcseal.patch.txt
+Bug: https://github.com/trusteddomainproject/OpenDMARC/issues/183
+
+--- a/opendmarc/opendmarc-arcseal.c
++++ b/opendmarc/opendmarc-arcseal.c
+@@ -24,7 +24,7 @@
+ #include "opendmarc.h"
+
+ #define OPENDMARC_ARCSEAL_MAX_FIELD_NAME_LEN 255
+-#define OPENDMARC_ARCSEAL_MAX_TOKEN_LEN 512
++#define OPENDMARC_ARCSEAL_MAX_TOKEN_LEN 768
+
+ /* tables */
+ struct opendmarc_arcseal_lookup
+@@ -223,7 +223,12 @@
+ if (*token_ptr == '\0')
+ return 0;
+ tag_label = strsep(&token_ptr, "=");
++ if (token_ptr == NULL)
++ return 0;
++
+ tag_value = opendmarc_arcseal_strip_whitespace(token_ptr);
++ if (tag_value == NULL)
++ return 0;
+
+ tag_code = opendmarc_arcseal_convert(as_tags, tag_label);
+
+--- a/opendmarc/opendmarc-arcseal.h
++++ b/opendmarc/opendmarc-arcseal.h
+@@ -32,7 +32,7 @@
+ /* max header tag value length (short) */
+ #define OPENDMARC_ARCSEAL_MAX_SHORT_VALUE_LEN 256
+ /* max header tag value length (long) */
+-#define OPENDMARC_ARCSEAL_MAX_LONG_VALUE_LEN 512
++#define OPENDMARC_ARCSEAL_MAX_LONG_VALUE_LEN 768
+
+ /* names and field labels */
+ #define OPENDMARC_ARCSEAL_HDRNAME "ARC-Seal"
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/series opendmarc-1.4.0~beta1+dfsg/debian/patches/series
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-06-15 16:23:10.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/series 2021-11-03 14:23:34.000000000 +0100
@@ -13,3 +13,4 @@
cve-2020-12272.patch
cve-2019-20790.patch
cve-2021-34555.patch
+arcseal-segfaults.patch
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch 2021-06-15 16:21:17.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket193.patch 2021-11-03 14:18:41.000000000 +0100
@@ -107,92 +107,3 @@
$rows = $dbi_s->execute($maxage);
if (!$rows)
{
-diff --git a/reports/opendmarc-import.in b/reports/opendmarc-import.in
-index 3a2f404..259f546 100755
---- a/reports/opendmarc-import.in
-+++ b/reports/opendmarc-import.in
-@@ -233,14 +233,12 @@ sub update_db
- $envfrom_id = get_table_id($envdomain, "domains");
- $pdomain_id = get_table_id($pdomain, "domains");
- $ipaddr_id = get_table_id($ipaddr, "ipaddr", "addr");
-- $request_id = get_table_id($from_id, "requests", "domain");
-
- if (!defined($rep_id) ||
- !defined($from_id) ||
- !defined($envfrom_id) ||
- !defined($pdomain_id) ||
-- !defined($ipaddr_id) ||
-- !defined($request_id))
-+ !defined($ipaddr_id))
- {
- return;
- }
-@@ -372,39 +370,48 @@ sub update_db
-
- if (get_value("requests", "locked", $request_id) != 1)
- {
-- if (scalar @rua > 0)
-+ print STDERR "$progname: failed to retrieve table ID: " . $dbi_h->errstr . "\n";
-+ return undef;
-+ }
-+
-+ undef $request_id;
-+ while ($dbi_a = $dbi_t->fetchrow_arrayref())
-+ {
-+ if (defined($dbi_a->[0]))
- {
-- $repuri = join(",", @rua);
-- $dbi_s = $dbi_h->prepare("UPDATE requests SET repuri = ? WHERE id = ?");
-+ $request_id = $dbi_a->[0];
-+ }
-+ }
-
-- if (!$dbi_s->execute($repuri, $request_id))
-- {
-- print STDERR "$progname: failed to update reporting URI for $fdomain: " . $dbi_h->errstr . "\n";
-- $dbi_s->finish;
-- return;
-- }
-+ $dbi_t->finish;
-
-- $dbi_s->finish;
-- }
-- else
-+ $repuri = join(",", @rua);
-+
-+ if (defined($request_id))
-+ {
-+ if (get_value("requests", "locked", $request_id) != 1)
- {
- $dbi_s = $dbi_h->prepare("UPDATE requests SET repuri = '' WHERE id = ?");
-
-- if (!$dbi_s->execute($request_id))
-+ if (!$dbi_s->execute($from_id, $repuri, $adkim, $aspf, $p, $sp, $pct, $request_id))
- {
-- print STDERR "$progname: failed to update reporting URI for $fdomain: " . $dbi_h->errstr . "\n";
-+ print STDERR "$progname: failed to update policy data for $fdomain: " . $dbi_h->errstr . "\n";
- $dbi_s->finish;
- return;
- }
--
-- $dbi_s->finish;
- }
-+ else
-+ {
-+ print STDERR "$progname: policy data for $fdomain not updated, because they are locked\n";
-+ }
-+ }
-+ else
-+ {
-+ $dbi_s = $dbi_h->prepare("insert requests SET domain = ?, repuri = ?, adkim = ?, aspf = ?, policy = ?, spolicy = ?, pct = ?");
-
-- $dbi_s = $dbi_h->prepare("UPDATE requests SET adkim = ?, aspf = ?, policy = ?, spolicy = ?, pct = ? WHERE id = ?");
--
-- if (!$dbi_s->execute($adkim, $aspf, $p, $sp, $pct, $request_id))
-+ if (!$dbi_s->execute($from_id, $repuri, $adkim, $aspf, $p, $sp, $pct))
- {
-- print STDERR "$progname: failed to update policy data for $fdomain: " . $dbi_h->errstr . "\n";
-+ print STDERR "$progname: failed to insert policy data for $fdomain: " . $dbi_h->errstr . "\n";
- $dbi_s->finish;
- return;
- }
diff -Nru opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch
--- opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch 2021-06-15 16:21:17.000000000 +0200
+++ opendmarc-1.4.0~beta1+dfsg/debian/patches/ticket204.patch 2021-11-03 14:16:40.000000000 +0100
@@ -11,7 +11,7 @@
index 259f546..9eaf1ab 100755
--- a/reports/opendmarc-import.in
+++ b/reports/opendmarc-import.in
-@@ -656,7 +656,7 @@ while (<$inputfh>)
+@@ -649,7 +649,7 @@ while (<$inputfh>)
}
case "from" {
@@ -20,7 +20,7 @@
}
case "job" {
-@@ -698,7 +698,7 @@ while (<$inputfh>)
+@@ -691,7 +691,7 @@ while (<$inputfh>)
}
case "mfrom" {
@@ -29,7 +29,7 @@
}
case "p" {
-@@ -710,7 +710,7 @@ while (<$inputfh>)
+@@ -703,7 +703,7 @@ while (<$inputfh>)
}
case "pdomain" {
--- End Message ---
