Summary: | <mail-filter/opendmarc-1.3.3: Buffer overflow in opendmarc_xml_parse (CVE-2020-12460) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | grobian |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/trusteddomainproject/OpenDMARC/issues/64 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=719836 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-07-27 23:47:41 UTC
Patch: https://github.com/trusteddomainproject/OpenDMARC/commit/50d28af25d8735504b6103537228ce7f76ad765f Arch say 1.3.3 is out, but cannot see it on the github. That patch is dirty (contains one more fix and a whitespace change), but I can see how it fixes the issue with calloc+1. There is a tag for rel-opendmarc-1-3-3 but it only includes a removal of non-free docs (compared to 1.3.2). So, I'll backport it to 1.3.3. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69c7c3a6972811fa55db4e302dc11fd72dd8eacc commit 69c7c3a6972811fa55db4e302dc11fd72dd8eacc Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-09-10 08:21:06 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-09-10 08:21:06 +0000 mail-filter/opendmarc-1.3.3: version bump for security, bug #734158 Bug: https://bugs.gentoo.org/734158 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-filter/opendmarc/Manifest | 1 + .../files/opendmarc-1.3.3-CVE-2020-12460.patch | 41 ++++++++++++ mail-filter/opendmarc/opendmarc-1.3.3.ebuild | 78 ++++++++++++++++++++++ 3 files changed, 120 insertions(+) Thanks Fabian! Let us know when ready to stable. (In reply to Sam James from comment #4) > Thanks Fabian! Let us know when ready to stable. Ready? Been running it on a couple of servers now, haven't seen any issues, so good to go from here. (In reply to Fabian Groffen from comment #6) > Been running it on a couple of servers now, haven't seen any issues, so good > to go from here. Thank you! sparc stable ppc done ppc64 stable arm done x86 done amd64 done hppa stable. Last arch, closing. (In reply to Rolf Eike Beer from comment #14) > hppa stable. Last arch, closing. Not here ;) Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31d3f3cfcaf6e41124c9ccb20756be5efb744bec commit 31d3f3cfcaf6e41124c9ccb20756be5efb744bec Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-10-16 06:21:41 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-10-16 06:21:41 +0000 mail-filter/opendmarc-1.3.2-r3: cleanup for security Bug: https://bugs.gentoo.org/734158 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-filter/opendmarc/Manifest | 1 - mail-filter/opendmarc/opendmarc-1.3.2-r3.ebuild | 70 ------------------------- 2 files changed, 71 deletions(-) This issue was resolved and addressed in GLSA 202011-02 at https://security.gentoo.org/glsa/202011-02 by GLSA coordinator Sam James (sam_c). |