Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 710680

Summary: mail-mta/opensmtpd: arbitrary commands execution in smtp_mailaddr in smtp_session.c via crafted SMTP session (CVE-2020-7247)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: trivial CC: zx2c4
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~1 [ebuild cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-24 17:45:44 UTC 
CVE-2020-7247 (https://nvd.nist.gov/vuln/detail/CVE-2020-7247):
  smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and
  other products, allows remote attackers to execute arbitrary commands as
  root via a crafted SMTP session, as demonstrated by shell metacharacters in
  a MAIL FROM field. This affects the "uncommented" default configuration. The
  issue exists because of an incorrect return value upon failure of input
  validation.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-24 17:50:46 UTC 

*** This bug has been marked as a duplicate of bug 707828 ***