Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 694968 (CVE-2019-16378) - <mail-filter/opendmarc-1.3.2-r3: Signature-bypass vulnerability with multiple 'From' addresses (CVE-2019-16378)
Summary: <mail-filter/opendmarc-1.3.2-r3: Signature-bypass vulnerability with multiple...
Status: IN_PROGRESS
Alias: CVE-2019-16378
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/trusteddomainproje...
Whiteboard: B4 [stable]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2019-09-19 14:08 UTC by Benny Pedersen
Modified: 2020-01-26 00:39 UTC (History)
1 user (show)

See Also:
Package list:
mail-filter/opendmarc-1.3.2-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Benny Pedersen 2019-09-19 14:08:56 UTC
Golem, a german online IT magazin, reported about a Bug in OpenDMARC.
https://www.golem.de/news/opendmarc-aktiv-ausgenutzte-dmarc-sicherheitsluecke-ohne-fix-1909-143798.html

Protonmail found that bug actively used
https://protonmail.com/blog/bellingcat-cyberattack-phishing/

Also there is a proposed fix available as pull request on GitHub
https://github.com/trusteddomainproject/OpenDMARC/pull/48
Comment 1 Larry the Git Cow gentoo-dev 2019-09-19 18:46:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d5480baf0d90e1a33e9b8dde0c9ba7051f989ef

commit 4d5480baf0d90e1a33e9b8dde0c9ba7051f989ef
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2019-09-19 18:46:01 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2019-09-19 18:46:17 +0000

    mail-filter/opendmarc: revbump with fix for CVE-2019-16378
    
    Bug: https://bugs.gentoo.org/694968
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 .../files/opendmarc-1.3.2-multiple-From.patch      | 35 +++++++++++
 mail-filter/opendmarc/opendmarc-1.3.2-r3.ebuild    | 72 ++++++++++++++++++++++
 2 files changed, 107 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-09-24 11:55:32 UTC
@ maintainer(s): Can we already stabilize >=mail-filter/opendmarc-1.3.2-r3?
Comment 3 Fabian Groffen gentoo-dev 2019-09-24 11:58:06 UTC
it is working fine sofar in my testing setup, I think it should be good to go
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-17 09:53:50 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-17 10:25:55 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-17 10:30:09 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-17 10:33:09 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-17 11:24:03 UTC
amd64 stable
Comment 9 Rolf Eike Beer 2019-10-24 22:11:02 UTC
hppa stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:48:37 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-11-13 16:10:32 UTC
ia64 stable