OpenBSD 6.6 errata 019, January 30, 2020:
An incorrect check allows an attacker to trick mbox delivery into executing
arbitrary commands as root and lmtp delivery into executing arbitrary commands
as an unprivileged user.
--- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415
+++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000
@@ -2012,24 +2012,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch
memmove(maddr->user, p, strlen(p) + 1);
}
- if (!valid_localpart(maddr->user) ||
- !valid_domainpart(maddr->domain)) {
- /* accept empty return-path in MAIL FROM, required for bounces */
- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
- return (1);
+ /* accept empty return-path in MAIL FROM, required for bounces */
+ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
+ return (1);
- /* no user-part, reject */
- if (maddr->user[0] == '\0')
- return (0);
-
- /* no domain, local user */
- if (maddr->domain[0] == '\0') {
- (void)strlcpy(maddr->domain, domain,
- sizeof(maddr->domain));
- return (1);
- }
+ /* no or invalid user-part, reject */
+ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
return (0);
+
+ /* no domain part, local user */
+ if (maddr->domain[0] == '\0') {
+ (void)strlcpy(maddr->domain, domain,
+ sizeof(maddr->domain));
}
+
+ if (!valid_domainpart(maddr->domain))
+ return (0);
return (1);
}
|
