Bug 724492

Summary:	<mail-mta/opensmtpd-6.7.1_p1: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	zx2c4
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=697704
Whiteboard:	~1 [noglsa]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-05-21 19:28:12 UTC

From release notes of 6.7.0p1:
"Fixed security vulnerabilities in smtpd(8). Corrected an out-of-bounds read in smtpd allowing an attacker to inject arbitrary commands into the envelope file to be executed as root, and ensured privilege revocation in smtpctl(8) to prevent arbitrary commands from being run with the _smtpq group."

Comment 1 Sam James archtester

2020-05-21 23:38:04 UTC

While adding a new ebuild, some consideration as to stabling again would be great (see bug 697704).

Comment 2 Sam James archtester

2020-05-24 18:51:48 UTC

Also fixes https://github.com/OpenSMTPD/OpenSMTPD/commit/3cd16ecd7ae83a4ba093f5376f5c4ea229316790.

Tree clean.