[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 797214 (CVE-2021-34555) - <mail-filter/opendmarc-1.4.1.1-r2: denial of service via multivalue From header (CVE-2021-34555)
Summary: <mail-filter/opendmarc-1.4.1.1-r2: denial of service via multivalue From head...
Status: IN_PROGRESS
Alias: CVE-2021-34555
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/trusteddomainproje...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-20 22:18 UTC by John Helmert III
Modified: 2024-11-03 08:45 UTC (History)
1 user (show)

See Also:
Package list:
mail-filter/opendmarc-1.4.1.1-r2
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-20 22:18:40 UTC 
CVE-2021-34555:

OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a multi-value From header field.

Patches here but unreviewed by upstream:

https://github.com/trusteddomainproject/OpenDMARC/pull/178
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:40 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:49 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:48 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:54 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:58 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:52 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:10:12 UTC Comment hidden (obsolete)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 21:35:21 UTC 
Patches apparently in Debian, so I guess they think they're solid.
Comment 9 Larry the Git Cow gentoo-dev 2021-08-08 06:55:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5cdf10e604f2bfdd5663aa2e23c55dce8cf44321

commit 5cdf10e604f2bfdd5663aa2e23c55dce8cf44321
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-08-08 06:54:58 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-08-08 06:55:11 +0000

    mail-filter/opendmarc-1.4.1.1-r2: bump for CVE-2021-34555
    
    Bug: https://bugs.gentoo.org/797214
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 .../files/opendmarc-1.4.1.1-CVE-2021-34555.patch   | 87 ++++++++++++++++++++++
 mail-filter/opendmarc/opendmarc-1.4.1.1-r2.ebuild  | 70 +++++++++++++++++
 2 files changed, 157 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-08 19:22:33 UTC 
Please CC-ARCHES when ready, thanks!
Comment 11 Fabian Groffen gentoo-dev 2021-08-09 07:39:41 UTC 
1.4.1.1-r2 should be ready
Comment 12 Agostino Sarubbo gentoo-dev 2021-08-10 06:42:55 UTC 
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2021-08-10 06:43:35 UTC 
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2021-08-10 06:44:01 UTC 
sparc stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-11 00:04:01 UTC 
arm done
Comment 16 Agostino Sarubbo gentoo-dev 2021-08-11 06:39:40 UTC 
amd64 stable
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 01:07:39 UTC 
x86 done

all arches done
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 17:44:50 UTC 
Please cleanup.
Comment 19 Larry the Git Cow gentoo-dev 2021-08-20 06:26:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5769b6d90d1f8604045d5e5577dfc3360aa51ec

commit c5769b6d90d1f8604045d5e5577dfc3360aa51ec
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-08-20 06:25:19 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-08-20 06:25:37 +0000

    mail-filter/opendmarc: security cleanup
    
    Bug: https://bugs.gentoo.org/797214
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-filter/opendmarc/opendmarc-1.3.3.ebuild      | 78 -----------------------
 mail-filter/opendmarc/opendmarc-1.4.1.1-r1.ebuild | 66 -------------------
 2 files changed, 144 deletions(-)
Comment 20 Larry the Git Cow gentoo-dev 2024-11-03 08:45:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=951a43c8f8d9bf06d1bbab99ce76fefc0a2b856b

commit 951a43c8f8d9bf06d1bbab99ce76fefc0a2b856b
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2024-11-03 08:41:36 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2024-11-03 08:45:38 +0000

    mail-filter/opendmarc-1.4.2: version bump
    
    - release including official upstream fix for CVE-2021-34555
    - add res_ninit to QA exceptions for musl systems
    
    Closes: https://bugs.gentoo.org/923992
    Closes: https://bugs.gentoo.org/930505
    Bug: https://bugs.gentoo.org/797214
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-filter/opendmarc/Manifest                    |  1 +
 mail-filter/opendmarc/opendmarc-1.4.1.1-r6.ebuild |  2 +
 mail-filter/opendmarc/opendmarc-1.4.2.ebuild      | 77 +++++++++++++++++++++++
 3 files changed, 80 insertions(+)