Public bug reported: OpenBSD 6.6 errata 021, February 24, 2020:
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. This affects Debian versions since 5.7.3p2 (released upstream 2016-02-02). In particular, every Ubuntu release since xenial is affected. Quoting from the advisory: This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, "when peer outputs a multi-line response ..."), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, "switch smtpd to new grammar"); or as any non-root user, before May 2018. https://www.openwall.com/lists/oss-security/2020/02/24/5 The other advisory fixed by the patches does not appear to affect Debian because /proc/sys/fs/protected_hardlinks is 1 by default: https://www.openwall.com/lists/oss-security/2020/02/24/4 ** Affects: opensmtpd (Ubuntu) Importance: Critical Status: Fix Released ** Affects: opensmtpd (Ubuntu Xenial) Importance: Critical Status: Confirmed ** Affects: opensmtpd (Ubuntu Bionic) Importance: Critical Status: Confirmed ** Affects: opensmtpd (Ubuntu Eoan) Importance: Critical Status: Confirmed ** Affects: opensmtpd (Debian) Importance: Unknown Status: Unknown ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8794 ** Bug watch added: Debian Bug tracker #952453 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952453 ** Also affects: opensmtpd (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952453 Importance: Unknown Status: Unknown ** Also affects: opensmtpd (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: opensmtpd (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: opensmtpd (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: opensmtpd (Ubuntu Xenial) Status: New => Confirmed ** Changed in: opensmtpd (Ubuntu Bionic) Status: New => Confirmed ** Changed in: opensmtpd (Ubuntu Eoan) Status: New => Confirmed ** Changed in: opensmtpd (Ubuntu Xenial) Importance: Undecided => Critical ** Changed in: opensmtpd (Ubuntu Bionic) Importance: Undecided => Critical ** Changed in: opensmtpd (Ubuntu Eoan) Importance: Undecided => Critical ** Changed in: opensmtpd (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864707 Title: arbitrary command execution vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensmtpd/+bug/1864707/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs