Description: "OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag."
Patch: https://github.com/trusteddomainproject/OpenDMARC/commit/50d28af25d8735504b6103537228ce7f76ad765f Arch say 1.3.3 is out, but cannot see it on the github.
That patch is dirty (contains one more fix and a whitespace change), but I can see how it fixes the issue with calloc+1. There is a tag for rel-opendmarc-1-3-3 but it only includes a removal of non-free docs (compared to 1.3.2). So, I'll backport it to 1.3.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69c7c3a6972811fa55db4e302dc11fd72dd8eacc commit 69c7c3a6972811fa55db4e302dc11fd72dd8eacc Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-09-10 08:21:06 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-09-10 08:21:06 +0000 mail-filter/opendmarc-1.3.3: version bump for security, bug #734158 Bug: https://bugs.gentoo.org/734158 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-filter/opendmarc/Manifest | 1 + .../files/opendmarc-1.3.3-CVE-2020-12460.patch | 41 ++++++++++++ mail-filter/opendmarc/opendmarc-1.3.3.ebuild | 78 ++++++++++++++++++++++ 3 files changed, 120 insertions(+)
Thanks Fabian! Let us know when ready to stable.
(In reply to Sam James from comment #4) > Thanks Fabian! Let us know when ready to stable. Ready?
Been running it on a couple of servers now, haven't seen any issues, so good to go from here.
(In reply to Fabian Groffen from comment #6) > Been running it on a couple of servers now, haven't seen any issues, so good > to go from here. Thank you!
sparc stable
ppc done
ppc64 stable
arm done
x86 done
amd64 done
hppa stable. Last arch, closing.
(In reply to Rolf Eike Beer from comment #14) > hppa stable. Last arch, closing. Not here ;) Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31d3f3cfcaf6e41124c9ccb20756be5efb744bec commit 31d3f3cfcaf6e41124c9ccb20756be5efb744bec Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-10-16 06:21:41 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-10-16 06:21:41 +0000 mail-filter/opendmarc-1.3.2-r3: cleanup for security Bug: https://bugs.gentoo.org/734158 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-filter/opendmarc/Manifest | 1 - mail-filter/opendmarc/opendmarc-1.3.2-r3.ebuild | 70 ------------------------- 2 files changed, 71 deletions(-)
This issue was resolved and addressed in GLSA 202011-02 at https://security.gentoo.org/glsa/202011-02 by GLSA coordinator Sam James (sam_c).