group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1864707] [NEW] arbitrary command execution vulnerability

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Ryan Kavanagh <ryanakca@xxxxxxxxx>
Date: Tue, 25 Feb 2020 20:41:06 -0000
Reply-to: Bug 1864707 <1864707@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

OpenBSD 6.6 errata 021, February 24, 2020:

An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.

This affects Debian versions since 5.7.3p2 (released upstream
2016-02-02). In particular, every Ubuntu release since xenial is affected.
Quoting from the advisory:

    This vulnerability, an out-of-bounds read introduced in December
    2015 (commit 80c6a60c, "when peer outputs a multi-line response
    ..."), is exploitable remotely and leads to the execution of
    arbitrary shell commands: either as root, after May 2018 (commit
    a8e22235, "switch smtpd to new grammar"); or as any non-root user,
    before May 2018.

https://www.openwall.com/lists/oss-security/2020/02/24/5

The other advisory fixed by the patches does not appear to affect
Debian because /proc/sys/fs/protected_hardlinks is 1 by default:

https://www.openwall.com/lists/oss-security/2020/02/24/4

** Affects: opensmtpd (Ubuntu)
     Importance: Critical
         Status: Fix Released

** Affects: opensmtpd (Ubuntu Xenial)
     Importance: Critical
         Status: Confirmed

** Affects: opensmtpd (Ubuntu Bionic)
     Importance: Critical
         Status: Confirmed

** Affects: opensmtpd (Ubuntu Eoan)
     Importance: Critical
         Status: Confirmed

** Affects: opensmtpd (Debian)
     Importance: Unknown
         Status: Unknown

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8794

** Bug watch added: Debian Bug tracker #952453
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952453

** Also affects: opensmtpd (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952453
   Importance: Unknown
       Status: Unknown

** Also affects: opensmtpd (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: opensmtpd (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Also affects: opensmtpd (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: opensmtpd (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: opensmtpd (Ubuntu Bionic)
       Status: New => Confirmed

** Changed in: opensmtpd (Ubuntu Eoan)
       Status: New => Confirmed

** Changed in: opensmtpd (Ubuntu Xenial)
   Importance: Undecided => Critical

** Changed in: opensmtpd (Ubuntu Bionic)
   Importance: Undecided => Critical

** Changed in: opensmtpd (Ubuntu Eoan)
   Importance: Undecided => Critical

** Changed in: opensmtpd (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1864707

Title:
  arbitrary command execution vulnerability

Status in opensmtpd package in Ubuntu:
  Fix Released
Status in opensmtpd source package in Xenial:
  Confirmed
Status in opensmtpd source package in Bionic:
  Confirmed
Status in opensmtpd source package in Eoan:
  Confirmed
Status in opensmtpd package in Debian:
  Unknown

Bug description:
  OpenBSD 6.6 errata 021, February 24, 2020:

  An out of bounds read in smtpd allows an attacker to inject arbitrary
  commands into the envelope file which are then executed as root.
  Separately, missing privilege revocation in smtpctl allows arbitrary
  commands to be run with the _smtpq group.

  This affects Debian versions since 5.7.3p2 (released upstream
  2016-02-02). In particular, every Ubuntu release since xenial is affected.
  Quoting from the advisory:

      This vulnerability, an out-of-bounds read introduced in December
      2015 (commit 80c6a60c, "when peer outputs a multi-line response
      ..."), is exploitable remotely and leads to the execution of
      arbitrary shell commands: either as root, after May 2018 (commit
      a8e22235, "switch smtpd to new grammar"); or as any non-root user,
      before May 2018.

  https://www.openwall.com/lists/oss-security/2020/02/24/5

  The other advisory fixed by the patches does not appear to affect
  Debian because /proc/sys/fs/protected_hardlinks is 1 by default:

  https://www.openwall.com/lists/oss-security/2020/02/24/4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensmtpd/+bug/1864707/+subscriptions

Follow ups

[Bug 1864707] Re: arbitrary command execution vulnerability
From: Mike Salvatore, 2020-03-02
[Bug 1864707] Re: arbitrary command execution vulnerability
From: Mike Salvatore, 2020-03-02
[Bug 1864707] Re: arbitrary command execution vulnerability
From: Ryan Kavanagh, 2020-02-27