47 lines
1.4 KiB
Diff
47 lines
1.4 KiB
Diff
OpenBSD 6.6 errata 019, January 30, 2020:
|
|
|
|
An incorrect check allows an attacker to trick mbox delivery into executing
|
|
arbitrary commands as root and lmtp delivery into executing arbitrary commands
|
|
as an unprivileged user.
|
|
|
|
--- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415
|
|
+++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000
|
|
@@ -2012,24 +2012,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch
|
|
memmove(maddr->user, p, strlen(p) + 1);
|
|
}
|
|
|
|
- if (!valid_localpart(maddr->user) ||
|
|
- !valid_domainpart(maddr->domain)) {
|
|
- /* accept empty return-path in MAIL FROM, required for bounces */
|
|
- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
|
|
- return (1);
|
|
+ /* accept empty return-path in MAIL FROM, required for bounces */
|
|
+ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
|
|
+ return (1);
|
|
|
|
- /* no user-part, reject */
|
|
- if (maddr->user[0] == '\0')
|
|
- return (0);
|
|
-
|
|
- /* no domain, local user */
|
|
- if (maddr->domain[0] == '\0') {
|
|
- (void)strlcpy(maddr->domain, domain,
|
|
- sizeof(maddr->domain));
|
|
- return (1);
|
|
- }
|
|
+ /* no or invalid user-part, reject */
|
|
+ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
|
|
return (0);
|
|
+
|
|
+ /* no domain part, local user */
|
|
+ if (maddr->domain[0] == '\0') {
|
|
+ (void)strlcpy(maddr->domain, domain,
|
|
+ sizeof(maddr->domain));
|
|
}
|
|
+
|
|
+ if (!valid_domainpart(maddr->domain))
|
|
+ return (0);
|
|
|
|
return (1);
|
|
}
|