File: 019_smtpd_exec.patch.sig

package info (click to toggle)
opensmtpd 6.0.3p1-5%2Bdeb10u4
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 4,288 kB
  • sloc: ansic: 36,875; sh: 11,246; yacc: 2,250; makefile: 552; awk: 339
file content (53 lines) | stat: -rw-r--r-- 1,768 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Description: fix privilege escalation bug
 OpenBSD 6.6 errata 019, January 30, 2020:
 .
 An incorrect check allows an attacker to trick mbox delivery into executing
 arbitrary commands as root and lmtp delivery into executing arbitrary commands
 as an unprivileged user.
Origin: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
Bug-Debian: https://bugs.debian.org/950121
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: opensmtpd/smtpd/smtp_session.c
===================================================================
--- opensmtpd.orig/smtpd/smtp_session.c	2020-01-28 17:56:24.026693606 -0500
+++ opensmtpd/smtpd/smtp_session.c	2020-01-28 17:56:24.022693963 -0500
@@ -2006,25 +2006,23 @@
 		memmove(maddr->user, p, strlen(p) + 1);
 	}
 
-	if (!valid_localpart(maddr->user) ||
-	    !valid_domainpart(maddr->domain)) {
-		/* accept empty return-path in MAIL FROM, required for bounces */
-		if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
-			return (1);
+	/* accept empty return-path in MAIL FROM, required for bounces */
+	if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
+		return (1);
 
-		/* no user-part, reject */
-		if (maddr->user[0] == '\0')
-			return (0);
-
-		/* no domain, local user */
-		if (maddr->domain[0] == '\0') {
-			(void)strlcpy(maddr->domain, domain,
-			    sizeof(maddr->domain));
-			return (1);
-		}
+	/* no or invalid user-part, reject */
+	if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
 		return (0);
+
+	/* no domain part, local user */
+	if (maddr->domain[0] == '\0') {
+		(void)strlcpy(maddr->domain, domain,
+			sizeof(maddr->domain));
 	}
 
+	if (!valid_domainpart(maddr->domain))
+		return (0);
+
 	return (1);
 }