OpenBSD 6.5 errata 031, February 24, 2020: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. --- a/smtpd/makemap.c.orig 2018-01-10 05:06:40.000000000 -0800 +++ b/smtpd/makemap.c 2020-02-24 15:41:18.278340410 -0800 @@ -105,8 +105,13 @@ makemap(int prog_mode, int argc, char *a int ch, dbputs = 0, Uflag = 0; DBTYPE dbtype = DB_HASH; char *p; + gid_t gid; int fd = -1; + gid = getgid(); + if (setresgid(gid, gid, gid) == -1) + err(1, "setresgid"); + log_init(1, LOG_MAIL); mode = prog_mode; @@ -180,9 +185,9 @@ makemap(int prog_mode, int argc, char *a errx(1, "database name too long"); } - execlp("makemap", "makemap", "-d", argv[0], "-o", dbname, "-", - (char *)NULL); - err(1, "execlp"); + execl(PATH_MAKEMAP, "makemap", "-d", argv[0], "-o", dbname, + "-", (char *)NULL); + err(1, "execl"); } if (mode == P_NEWALIASES) { --- a/smtpd/mta_session.c.orig 2020-02-08 10:24:17.692029666 -0800 +++ b/smtpd/mta_session.c 2020-02-24 15:46:46.121342818 -0800 @@ -1214,7 +1214,7 @@ mta_io(struct io *io, int evt, void *arg if (cont) { if (s->replybuf[0] == '\0') (void)strlcat(s->replybuf, line, sizeof s->replybuf); - else { + else if (len > 4) { line = line + 4; if (isdigit((int)*line) && *(line + 1) == '.' && isdigit((int)*line+2) && *(line + 3) == '.' && @@ -1229,7 +1229,9 @@ mta_io(struct io *io, int evt, void *arg /* last line of a reply, check if we're on a continuation to parse out status and ESC. * if we overflow reply buffer or are not on continuation, log entire last line. */ - if (s->replybuf[0] != '\0') { + if (s->replybuf[0] == '\0') + (void)strlcat(s->replybuf, line, sizeof s->replybuf); + else if (len > 4) { p = line + 4; if (isdigit((int)*p) && *(p + 1) == '.' && isdigit((int)*p+2) && *(p + 3) == '.' && @@ -1238,8 +1240,6 @@ mta_io(struct io *io, int evt, void *arg if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf) (void)strlcpy(s->replybuf, line, sizeof s->replybuf); } - else - (void)strlcpy(s->replybuf, line, sizeof s->replybuf); if (s->state == MTA_QUIT) { log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu", --- a/smtpd/smtpctl.c.orig 2018-01-10 05:06:40.000000000 -0800 +++ b/smtpd/smtpctl.c 2020-02-24 14:57:04.687320914 -0800 @@ -1116,7 +1116,7 @@ sendmail_compat(int argc, char **argv) */ for (i = 1; i < argc; i++) if (strncmp(argv[i], "-bi", 3) == 0) - exit(makemap(P_NEWALIASES, argc, argv)); + exit(makemap(P_SENDMAIL, argc, argv)); if (!srv_connect()) offlinefp = offline_file(); --- a/smtpd/smtpd-defines.h.orig 2018-01-10 05:06:40.000000000 -0800 +++ b/smtpd/smtpd-defines.h 2020-02-24 15:00:29.616322420 -0800 @@ -46,6 +46,9 @@ #ifndef PATH_SPOOL #define PATH_SPOOL "/var/spool/smtpd" #endif +#ifndef PATH_MAKEUP +#define PATH_MAKEMAP "/usr/sbin/makemap" +#endif #define SUBADDRESSING_DELIMITER "+" --- a/smtpd/smtpd.c.orig 2018-01-10 05:06:40.000000000 -0800 +++ b/smtpd/smtpd.c 2020-02-24 15:55:55.503346854 -0800 @@ -109,9 +109,10 @@ static struct mproc *setup_peer(enum smt static int imsg_wait(struct imsgbuf *, struct imsg *, int); static void offline_scan(int, short, void *); -static int offline_add(char *); +static int offline_add(char *, uid_t, gid_t); static void offline_done(void); -static int offline_enqueue(char *); +static int offline_enqueue(char *, uid_t, gid_t); + static void purge_task(void); static int parent_auth_user(const char *, const char *); @@ -136,6 +137,8 @@ struct child { struct offline { TAILQ_ENTRY(offline) entry; + uid_t uid; + gid_t gid; char *path; }; @@ -1409,7 +1412,8 @@ offline_scan(int fd, short ev, void *arg continue; } - if (offline_add(e->fts_name)) { + if (offline_add(e->fts_name, e->fts_statp->st_uid, + e->fts_statp->st_gid)) { log_warnx("warn: smtpd: " "could not add offline message %s", e->fts_name); continue; @@ -1429,7 +1433,7 @@ offline_scan(int fd, short ev, void *arg } static int -offline_enqueue(char *name) +offline_enqueue(char *name, uid_t uid, gid_t gid) { char *path; struct stat sb; @@ -1491,6 +1495,18 @@ offline_enqueue(char *name) _exit(1); } + if (sb.st_uid != uid) { + log_warnx("warn: smtpd: file %s has bad uid %d", + path, sb.st_uid); + _exit(1); + } + + if (sb.st_gid != gid) { + log_warnx("warn: smtpd: file %s has bad gid %d", + path, sb.st_gid); + _exit(1); + } + pw = getpwuid(sb.st_uid); if (pw == NULL) { log_warnx("warn: smtpd: getpwuid for uid %d failed", @@ -1547,17 +1563,19 @@ offline_enqueue(char *name) } static int -offline_add(char *path) +offline_add(char *path, uid_t uid, gid_t gid) { struct offline *q; if (offline_running < OFFLINE_QUEUEMAX) /* skip queue */ - return offline_enqueue(path); + return offline_enqueue(path, uid, gid); q = malloc(sizeof(*q) + strlen(path) + 1); if (q == NULL) return (-1); + q->uid = uid; + q->gid = gid; q->path = (char *)q + sizeof(*q); memmove(q->path, path, strlen(path) + 1); TAILQ_INSERT_TAIL(&offline_q, q, entry); @@ -1576,7 +1594,8 @@ offline_done(void) if ((q = TAILQ_FIRST(&offline_q)) == NULL) break; /* all done */ TAILQ_REMOVE(&offline_q, q, entry); - offline_enqueue(q->path); + offline_enqueue(q->path, q->uid, q->gid); + free(q); } } --- a/smtpd/smtpd.h.orig 2018-01-10 05:06:40.000000000 -0800 +++ b/smtpd/smtpd.h 2020-02-24 15:20:09.043331085 -0800 @@ -128,8 +128,10 @@ #define MTA_EXT_DSN 0x400 -#define P_NEWALIASES 0 -#define P_MAKEMAP 1 +#define P_SENDMAIL 0 +#define P_NEWALIASES 1 +#define P_MAKEMAP 2 + struct userinfo { char username[SMTPD_VUSERNAME_SIZE];