Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 734158 (CVE-2020-12460)

Summary: <mail-filter/opendmarc-1.3.3: Buffer overflow in opendmarc_xml_parse (CVE-2020-12460)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: grobian
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/trusteddomainproject/OpenDMARC/issues/64
See Also: https://bugs.gentoo.org/show_bug.cgi?id=719836
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 23:47:41 UTC
Description:
"OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-09 21:50:23 UTC
Patch: https://github.com/trusteddomainproject/OpenDMARC/commit/50d28af25d8735504b6103537228ce7f76ad765f

Arch say 1.3.3 is out, but cannot see it on the github.
Comment 2 Fabian Groffen gentoo-dev 2020-09-10 08:19:48 UTC
That patch is dirty (contains one more fix and a whitespace change), but I can see how it fixes the issue with calloc+1.

There is a tag for rel-opendmarc-1-3-3 but it only includes a removal of non-free docs (compared to 1.3.2).

So, I'll backport it to 1.3.3.
Comment 3 Larry the Git Cow gentoo-dev 2020-09-10 08:21:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69c7c3a6972811fa55db4e302dc11fd72dd8eacc

commit 69c7c3a6972811fa55db4e302dc11fd72dd8eacc
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-09-10 08:21:06 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-09-10 08:21:06 +0000

    mail-filter/opendmarc-1.3.3: version bump for security, bug #734158
    
    Bug: https://bugs.gentoo.org/734158
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-filter/opendmarc/Manifest                     |  1 +
 .../files/opendmarc-1.3.3-CVE-2020-12460.patch     | 41 ++++++++++++
 mail-filter/opendmarc/opendmarc-1.3.3.ebuild       | 78 ++++++++++++++++++++++
 3 files changed, 120 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:35:19 UTC
Thanks Fabian! Let us know when ready to stable.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-25 20:49:28 UTC
(In reply to Sam James from comment #4)
> Thanks Fabian! Let us know when ready to stable.

Ready?
Comment 6 Fabian Groffen gentoo-dev 2020-09-26 06:53:53 UTC
Been running it on a couple of servers now, haven't seen any issues, so good to go from here.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-26 11:59:20 UTC
(In reply to Fabian Groffen from comment #6)
> Been running it on a couple of servers now, haven't seen any issues, so good
> to go from here.

Thank you!
Comment 8 Rolf Eike Beer archtester 2020-09-28 18:09:19 UTC
sparc stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-29 11:42:13 UTC
ppc done
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-02 10:39:09 UTC
ppc64 stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-02 21:34:54 UTC
arm done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-02 22:30:36 UTC
x86 done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-03 15:12:57 UTC
amd64 done
Comment 14 Rolf Eike Beer archtester 2020-10-15 18:54:55 UTC
hppa stable. Last arch, closing.
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 18:55:32 UTC
(In reply to Rolf Eike Beer from comment #14)
> hppa stable. Last arch, closing.

Not here ;)

Please cleanup.
Comment 16 Larry the Git Cow gentoo-dev 2020-10-16 06:29:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31d3f3cfcaf6e41124c9ccb20756be5efb744bec

commit 31d3f3cfcaf6e41124c9ccb20756be5efb744bec
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-10-16 06:21:41 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-10-16 06:21:41 +0000

    mail-filter/opendmarc-1.3.2-r3: cleanup for security
    
    Bug: https://bugs.gentoo.org/734158
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-filter/opendmarc/Manifest                  |  1 -
 mail-filter/opendmarc/opendmarc-1.3.2-r3.ebuild | 70 -------------------------
 2 files changed, 71 deletions(-)
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-11-03 00:54:01 UTC
This issue was resolved and addressed in
 GLSA 202011-02 at https://security.gentoo.org/glsa/202011-02
by GLSA coordinator Sam James (sam_c).