OpenBSD Journal

Recent OpenSMTPD errata and you

Contributed by tj on from the inbox-full-of-fun dept.

OpenSMTPD has bumped its version number a couple times in the last few days, and there's been some confusion about the included security fixes. This post will bring you up to speed on what's affected and what's not.

On October 2nd, Gilles Chehade (gilles@) committed the following six fixes to smtpd in the base system:

CVSROOT:	/cvs
Module name:	src
Changes by:	gilles@cvs.openbsd.org	2015/10/01 18:26:45

Modified files:
	usr.sbin/smtpd : control.c 

Log message:
do not allow connid to wrap and collide with another active connection id.
this allows a local user to trigger a fatal() and exit the daemon.

CVSROOT:	/cvs
Module name:	src
Changes by:	gilles@cvs.openbsd.org	2015/10/01 18:29:51

Modified files:
	usr.sbin/smtpd : lka_session.c 

Log message:
fix a stack-based buffer overflow in the token expansion code of the lookup
process (unprivileged), allowing a local user to crash the server or
potentially execute arbitrary code.

CVSROOT:	/cvs
Module name:	src
Changes by:	gilles@cvs.openbsd.org	2015/10/01 18:32:05

Modified files:
	usr.sbin/smtpd : mproc.c 

Log message:
introduce imsg_read_nofd() to allow reading imsg while discarding fd's when
reading from a context where we don't expect/want to receive one.

this prevents a local user from exhausting resources and causing smtpd to
hang by crafting valid imsg that don't expect a descriptor but passing one
anyways.

CVSROOT:	/cvs
Module name:	src
Changes by:	gilles@cvs.openbsd.org	2015/10/01 18:37:53

Modified files:
	usr.sbin/smtpd : smtpd.c 

Log message:
prevent users from playing hardlink/symlink/mkfifo games with their offline
messages and ~/.forward files. this allowed a local user to hang smtpd or
even reset chflags and read first line of any arbitrary file.

while at it, do not fatal() on unexpected cause of SIGCHLD as this allows a
specially crafted mda to cause smtpd to exit.

CVSROOT:	/cvs
Module name:	src
Changes by:	gilles@cvs.openbsd.org	2015/10/01 18:41:25

Modified files:
	usr.sbin/smtpd : util.c 

Log message:
in secure_file(), make uid checking on .forward files more strict to avoid
users creating hardlink to root-owned files and leaking first line.

CVSROOT:	/cvs
Module name:	src
Changes by:	gilles@cvs.openbsd.org	2015/10/01 18:44:30

Modified files:
	usr.sbin/smtpd : mta_session.c smtp_session.c 

Log message:
detect that a certificate chain will not fit in imsg calls before passing
part of it and failing others, this may leave the lookup process in a weird
state and cause use-after-free and out-of-bounds memory reads, leading to
crashes or potential arbitrary code execution in unprivileged process.

Following those commits, version 5.7.2 was released in both OpenBSD-native and -portable flavors. Errata patches were also issued for 5.6, 5.7 and the soon-to-be-released 5.8. Due to the heavy-handed privilege separation employed throughout smtpd, the impact of these issues was mostly minor.

On October 5th, more security issues were publicly announced to the world. Version 5.7.3 was quickly released to address these issues. There's one very important distinction to make here though: the OpenBSD version of OpenSMTPD available on their website is not the same as the one in the base system. The flaws corrected in the 5.7.3 release do not affect the version in base, due to the fact that they were mostly problems in the filtering API code. That code, while available in the OpenSMTPD release tarballs, has not yet been committed to OpenBSD itself. In short, OpenBSD users just need to apply the errata patches (or upgrade to a new snapshot) as usual. Users of the -portable version will want to grab the latest release as soon as possible.

For more information on some of the bugs and their fixes, check out the full report by Qualys Security, who did the initial audit.

(Comments are closed)


Comments
  1. By Ilyas Bakirov (82.200.241.50) on

    So OpenSMTPD versions should be versioned as -pVersion(portable version) as OpenSSH to distinguish OpenBSD version OpenSMTPD and its portable version

    Comments
    1. By Ilyas Bakirov (82.200.241.50) on

      > So OpenSMTPD versions should be versioned as -pVersion(portable version) as OpenSSH to distinguish OpenBSD version OpenSMTPD and its portable version
      although it's versioned as portable (-p), but in article and in securty researches mentioned generic version 5.7.3

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]