Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 889024

Summary: mail-filter/opendkim: "Composition kills" vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: klondike, mjo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/trusteddomainproject/OpenDKIM/issues/134
Whiteboard: ??
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 21:50:01 UTC
Unclear if there's anything actionable for us here, but
there's an upstream report at URL.
Comment 1 Michael Orlitzky gentoo-dev 2022-12-30 23:42:33 UTC
The USENIX talk is mostly about tricking user interfaces.

When used for signing, I don't see any issues that could affect OpenDKIM. 

For verification, there was one attack where gmail could be tricked into making an incorrect DNS query by putting a NULL character in the selector name. Similar attacks could conceivably affect OpenDKIM, but the github issue does not mention any specifically.

FWIW OpenDKIM is under-maintained upstream, and I would recommend using something else (spamassassin, dkimpy) for verification. But there are no obvious problems with OpenDKIM here.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-31 03:45:13 UTC
Works for me. I've subscribed to the bug upstream and I'll reopen if anything actionable comes of it.