Contributed by tj on from the inbox-full-of-fun dept.
On October 2nd, Gilles Chehade (gilles@) committed the following six fixes to smtpd in the base system:
CVSROOT: /cvs Module name: src Changes by: email@example.com 2015/10/01 18:26:45 Modified files: usr.sbin/smtpd : control.c Log message: do not allow connid to wrap and collide with another active connection id. this allows a local user to trigger a fatal() and exit the daemon.
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2015/10/01 18:29:51 Modified files: usr.sbin/smtpd : lka_session.c Log message: fix a stack-based buffer overflow in the token expansion code of the lookup process (unprivileged), allowing a local user to crash the server or potentially execute arbitrary code.
CVSROOT: /cvs Module name: src Changes by: email@example.com 2015/10/01 18:32:05 Modified files: usr.sbin/smtpd : mproc.c Log message: introduce imsg_read_nofd() to allow reading imsg while discarding fd's when reading from a context where we don't expect/want to receive one. this prevents a local user from exhausting resources and causing smtpd to hang by crafting valid imsg that don't expect a descriptor but passing one anyways.
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2015/10/01 18:37:53 Modified files: usr.sbin/smtpd : smtpd.c Log message: prevent users from playing hardlink/symlink/mkfifo games with their offline messages and ~/.forward files. this allowed a local user to hang smtpd or even reset chflags and read first line of any arbitrary file. while at it, do not fatal() on unexpected cause of SIGCHLD as this allows a specially crafted mda to cause smtpd to exit.
CVSROOT: /cvs Module name: src Changes by: email@example.com 2015/10/01 18:41:25 Modified files: usr.sbin/smtpd : util.c Log message: in secure_file(), make uid checking on .forward files more strict to avoid users creating hardlink to root-owned files and leaking first line.
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2015/10/01 18:44:30 Modified files: usr.sbin/smtpd : mta_session.c smtp_session.c Log message: detect that a certificate chain will not fit in imsg calls before passing part of it and failing others, this may leave the lookup process in a weird state and cause use-after-free and out-of-bounds memory reads, leading to crashes or potential arbitrary code execution in unprivileged process.
Following those commits, version 5.7.2 was released in both OpenBSD-native and -portable flavors. Errata patches were also issued for 5.6, 5.7 and the soon-to-be-released 5.8. Due to the heavy-handed privilege separation employed throughout smtpd, the impact of these issues was mostly minor.
On October 5th, more security issues were publicly announced to the world. Version 5.7.3 was quickly released to address these issues. There's one very important distinction to make here though: the OpenBSD version of OpenSMTPD available on their website is not the same as the one in the base system. The flaws corrected in the 5.7.3 release do not affect the version in base, due to the fact that they were mostly problems in the filtering API code. That code, while available in the OpenSMTPD release tarballs, has not yet been committed to OpenBSD itself. In short, OpenBSD users just need to apply the errata patches (or upgrade to a new snapshot) as usual. Users of the -portable version will want to grab the latest release as soon as possible.
For more information on some of the bugs and their fixes, check out the full report by Qualys Security, who did the initial audit.
(Comments are closed)