Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 694968 (CVE-2019-16378) - <mail-filter/opendmarc-1.3.2-r3: Signature-bypass vulnerability with multiple 'From' addresses (CVE-2019-16378)
Summary: <mail-filter/opendmarc-1.3.2-r3: Signature-bypass vulnerability with multiple...
Status: RESOLVED FIXED
Alias: CVE-2019-16378
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/trusteddomainproje...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-19 14:08 UTC by Benny Pedersen
Modified: 2020-05-04 01:13 UTC (History)
1 user (show)

See Also:
Package list:
mail-filter/opendmarc-1.3.2-r3
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Benny Pedersen 2019-09-19 14:08:56 UTC
Golem, a german online IT magazin, reported about a Bug in OpenDMARC.
https://www.golem.de/news/opendmarc-aktiv-ausgenutzte-dmarc-sicherheitsluecke-ohne-fix-1909-143798.html

Protonmail found that bug actively used
https://protonmail.com/blog/bellingcat-cyberattack-phishing/

Also there is a proposed fix available as pull request on GitHub
https://github.com/trusteddomainproject/OpenDMARC/pull/48
Comment 1 Larry the Git Cow gentoo-dev 2019-09-19 18:46:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d5480baf0d90e1a33e9b8dde0c9ba7051f989ef

commit 4d5480baf0d90e1a33e9b8dde0c9ba7051f989ef
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2019-09-19 18:46:01 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2019-09-19 18:46:17 +0000

    mail-filter/opendmarc: revbump with fix for CVE-2019-16378
    
    Bug: https://bugs.gentoo.org/694968
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 .../files/opendmarc-1.3.2-multiple-From.patch      | 35 +++++++++++
 mail-filter/opendmarc/opendmarc-1.3.2-r3.ebuild    | 72 ++++++++++++++++++++++
 2 files changed, 107 insertions(+)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-24 11:55:32 UTC
@ maintainer(s): Can we already stabilize >=mail-filter/opendmarc-1.3.2-r3?
Comment 3 Fabian Groffen gentoo-dev 2019-09-24 11:58:06 UTC
it is working fine sofar in my testing setup, I think it should be good to go
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-17 09:53:50 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-17 10:25:55 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-17 10:30:09 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-17 10:33:09 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-17 11:24:03 UTC
amd64 stable
Comment 9 Rolf Eike Beer archtester 2019-10-24 22:11:02 UTC
hppa stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:48:37 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-11-13 16:10:32 UTC
ia64 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 17:39:24 UTC
Are we ok to cleanup?
Comment 13 NATTkA bot gentoo-dev 2020-04-06 15:06:26 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-27 18:45:31 UTC
@maintainer(s), please cleanup
Comment 15 Larry the Git Cow gentoo-dev 2020-04-28 05:57:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eae0fa1836faa9f2224b7f926f575d35c1d9ecda

commit eae0fa1836faa9f2224b7f926f575d35c1d9ecda
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-04-28 05:57:02 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-04-28 05:57:02 +0000

    mail-filter/opendmarc: cleanup, bug #694968
    
    Bug: https://bugs.gentoo.org/694968
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-filter/opendmarc/Manifest                  |  1 -
 mail-filter/opendmarc/opendmarc-1.1.3.ebuild    | 29 -----------
 mail-filter/opendmarc/opendmarc-1.3.2-r1.ebuild | 63 -----------------------
 mail-filter/opendmarc/opendmarc-1.3.2-r2.ebuild | 66 -------------------------
 4 files changed, 159 deletions(-)