arbitrary command execution vulnerability

Bug #1864707 reported by Ryan Kavanagh on 2020-02-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
opensmtpd (Debian)
Fix Released
Unknown
opensmtpd (Ubuntu)
Critical
Unassigned
Xenial
Critical
Unassigned
Bionic
Critical
Unassigned
Eoan
Critical
Unassigned

Bug Description

OpenBSD 6.6 errata 021, February 24, 2020:

An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.

This affects Debian versions since 5.7.3p2 (released upstream
2016-02-02). In particular, every Ubuntu release since xenial is affected.
Quoting from the advisory:

    This vulnerability, an out-of-bounds read introduced in December
    2015 (commit 80c6a60c, "when peer outputs a multi-line response
    ..."), is exploitable remotely and leads to the execution of
    arbitrary shell commands: either as root, after May 2018 (commit
    a8e22235, "switch smtpd to new grammar"); or as any non-root user,
    before May 2018.

https://www.openwall.com/lists/oss-security/2020/02/24/5

The other advisory fixed by the patches does not appear to affect
Debian because /proc/sys/fs/protected_hardlinks is 1 by default:

https://www.openwall.com/lists/oss-security/2020/02/24/4

CVE References

Ryan Kavanagh (ryanakca) on 2020-02-25
Changed in opensmtpd (Ubuntu Xenial):
status: New → Confirmed
Changed in opensmtpd (Ubuntu Bionic):
status: New → Confirmed
Changed in opensmtpd (Ubuntu Eoan):
status: New → Confirmed
Changed in opensmtpd (Ubuntu Xenial):
importance: Undecided → Critical
Changed in opensmtpd (Ubuntu Bionic):
importance: Undecided → Critical
Changed in opensmtpd (Ubuntu Eoan):
importance: Undecided → Critical
Changed in opensmtpd (Ubuntu):
status: Confirmed → Fix Released
Ryan Kavanagh (ryanakca) wrote :

My bad, I thought this was fixed by the sync, but it looks like it got caught up by the debian import freeze.

Changed in opensmtpd (Ubuntu):
status: Fix Released → Confirmed
Mike Salvatore (mikesalvatore) wrote :

Released 6.0.3p1-1ubuntu0.2 for bionic.

Changed in opensmtpd (Ubuntu Bionic):
status: Confirmed → Fix Released
Mike Salvatore (mikesalvatore) wrote :

Released 6.0.3p1-6ubuntu0.2 for eoan

Changed in opensmtpd (Ubuntu Eoan):
status: Confirmed → Fix Released
Changed in opensmtpd (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.