From ${URL}: Hi folks, I'm passing the gauntlet for anyone who wants to analyze this for impact etc. There's a remotely triggerable buffer overflow in OpenBSD's OpenSMTPD -- the latest version, 5.7.2 -- reachable by sending messages with huge header lines. Qualys recently published a result of a big audit, but it seems like they based their investigations primarily on an older version of OpenSMTPD that didn't have as much of the "filter" infrastructure. I'd recommend interested parties spend some time looking through the filter code, as there could be more problems. Here's a vulnerability in the filter io path: ## Already stabilized, bug added for tracking purposes with regards to GLSA and CVE assignment Reproducible: Always
Adding to existing GLSA
Updating this bug to reflect the further security issues announced today as well From http://seclists.org/oss-sec/2015/q4/34: OpenSMTPD 5.7.3 was released with fixes, and the release notes follow below. There may be other vulnerabilities also fixed by this release. A full diff follows for analysis and additional CVE assignment, in case that is necessary. Thanks, Jason [1] http://seclists.org/oss-sec/2015/q4/25 ---------- Forwarded message ---------- From: Gilles Chehade <gilles () poolp org> Date: Mon, Oct 5, 2015 at 3:30 PM Subject: Announce: OpenSMTPD 5.7.3 released To: misc () opensmtpd org [snipped] Issues fixed in this release (since 5.7.2): =========================================== - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda [0] - fix remote buffer overflow in unprivileged pony process [1] - reworked offline enqueue to better protect against hardlink attacks [2] [0] reported by Holger Jahn [1] reported by Jason A. Donenfeld [2] reported by Qualys Security
CVE Requested - http://seclists.org/oss-sec/2015/q4/34
This issue was resolved and addressed in GLSA 201601-04 at https://security.gentoo.org/glsa/201601-04 by GLSA coordinator Sergey Popov (pinkbyte).