Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707828 (CVE-2020-7247) - <mail-mta/opensmtpd-6.0.3_p1-r2: Remote Code Execution Vulnerability (CVE-2020-7247)
Summary: <mail-mta/opensmtpd-6.0.3_p1-r2: Remote Code Execution Vulnerability (CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2020-7247
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Assignee: Gentoo Security
URL: https://www.qualys.com/2020/01/28/cve...
Whiteboard: ~1 [noglsa]
Keywords:
: 710680 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-02-02 00:15 UTC by filip ambroz
Modified: 2020-02-24 17:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-02 00:15:56 UTC
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Comment 1 filip ambroz 2020-02-02 00:23:30 UTC
Versions prior to 6.6 also vulnerable?
https://security-tracker.debian.org/tracker/CVE-2020-7247
Comment 2 Thomas Deutschmann gentoo-dev 2020-02-24 17:50:46 UTC
*** Bug 710680 has been marked as a duplicate of this bug. ***