path: root/network/opensmtpd/openbsd65-031-smtpd-envelope.patch

OpenBSD 6.5 errata 031, February 24, 2020:

An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.

--- a/smtpd/makemap.c.orig	2018-01-10 05:06:40.000000000 -0800
+++ b/smtpd/makemap.c	2020-02-24 15:41:18.278340410 -0800
@@ -105,8 +105,13 @@ makemap(int prog_mode, int argc, char *a
 	int		 ch, dbputs = 0, Uflag = 0;
 	DBTYPE		 dbtype = DB_HASH;
 	char		*p;
+	gid_t		gid;
 	int		 fd = -1;
 
+	gid = getgid();
+	if (setresgid(gid, gid, gid) == -1)
+		err(1, "setresgid");
+
 	log_init(1, LOG_MAIL);
 
 	mode = prog_mode;
@@ -180,9 +185,9 @@ makemap(int prog_mode, int argc, char *a
 				errx(1, "database name too long");
 		}
 
-		execlp("makemap", "makemap", "-d", argv[0], "-o", dbname, "-",
-		    (char *)NULL);
-		err(1, "execlp");
+		execl(PATH_MAKEMAP, "makemap", "-d", argv[0], "-o", dbname,
+		     "-", (char *)NULL);
+		err(1, "execl");
 	}
 
 	if (mode == P_NEWALIASES) {
--- a/smtpd/mta_session.c.orig	2020-02-08 10:24:17.692029666 -0800
+++ b/smtpd/mta_session.c	2020-02-24 15:46:46.121342818 -0800
@@ -1214,7 +1214,7 @@ mta_io(struct io *io, int evt, void *arg
 		if (cont) {
 			if (s->replybuf[0] == '\0')
 				(void)strlcat(s->replybuf, line, sizeof s->replybuf);
-			else {
+			else if (len > 4) {
 				line = line + 4;
 				if (isdigit((int)*line) && *(line + 1) == '.' &&
 				    isdigit((int)*line+2) && *(line + 3) == '.' &&
@@ -1229,7 +1229,9 @@ mta_io(struct io *io, int evt, void *arg
 		/* last line of a reply, check if we're on a continuation to parse out status and ESC.
 		 * if we overflow reply buffer or are not on continuation, log entire last line.
 		 */
-		if (s->replybuf[0] != '\0') {
+		if (s->replybuf[0] == '\0')
+			(void)strlcat(s->replybuf, line, sizeof s->replybuf);
+		else if (len > 4) {
 			p = line + 4;
 			if (isdigit((int)*p) && *(p + 1) == '.' &&
 			    isdigit((int)*p+2) && *(p + 3) == '.' &&
@@ -1238,8 +1240,6 @@ mta_io(struct io *io, int evt, void *arg
 			if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf)
 				(void)strlcpy(s->replybuf, line, sizeof s->replybuf);
 		}
-		else
-			(void)strlcpy(s->replybuf, line, sizeof s->replybuf);
 
 		if (s->state == MTA_QUIT) {
 			log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu",
--- a/smtpd/smtpctl.c.orig	2018-01-10 05:06:40.000000000 -0800
+++ b/smtpd/smtpctl.c	2020-02-24 14:57:04.687320914 -0800
@@ -1116,7 +1116,7 @@ sendmail_compat(int argc, char **argv)
 		 */
 		for (i = 1; i < argc; i++)
 			if (strncmp(argv[i], "-bi", 3) == 0)
-				exit(makemap(P_NEWALIASES, argc, argv));
+				exit(makemap(P_SENDMAIL, argc, argv));
 
 		if (!srv_connect())
 			offlinefp = offline_file();
--- a/smtpd/smtpd-defines.h.orig	2018-01-10 05:06:40.000000000 -0800
+++ b/smtpd/smtpd-defines.h	2020-02-24 15:00:29.616322420 -0800
@@ -46,6 +46,9 @@
 #ifndef PATH_SPOOL
 #define PATH_SPOOL		"/var/spool/smtpd"
 #endif
+#ifndef PATH_MAKEUP
+#define PATH_MAKEMAP		"/usr/sbin/makemap"
+#endif
 
 #define SUBADDRESSING_DELIMITER	"+"
 
--- a/smtpd/smtpd.c.orig	2018-01-10 05:06:40.000000000 -0800
+++ b/smtpd/smtpd.c	2020-02-24 15:55:55.503346854 -0800
@@ -109,9 +109,10 @@ static struct mproc *setup_peer(enum smt
 static int imsg_wait(struct imsgbuf *, struct imsg *, int);
 
 static void	offline_scan(int, short, void *);
-static int	offline_add(char *);
+static int	offline_add(char *, uid_t, gid_t);
 static void	offline_done(void);
-static int	offline_enqueue(char *);
+static int	offline_enqueue(char *, uid_t, gid_t);
+
 
 static void	purge_task(void);
 static int	parent_auth_user(const char *, const char *);
@@ -136,6 +137,8 @@ struct child {
 
 struct offline {
 	TAILQ_ENTRY(offline)	 entry;
+	uid_t			 uid;
+	gid_t			 gid;
 	char			*path;
 };
 
@@ -1409,7 +1412,8 @@ offline_scan(int fd, short ev, void *arg
 			continue;
 		}
 
-		if (offline_add(e->fts_name)) {
+		if (offline_add(e->fts_name, e->fts_statp->st_uid,
+		    e->fts_statp->st_gid)) {
 			log_warnx("warn: smtpd: "
 			    "could not add offline message %s", e->fts_name);
 			continue;
@@ -1429,7 +1433,7 @@ offline_scan(int fd, short ev, void *arg
 }
 
 static int
-offline_enqueue(char *name)
+offline_enqueue(char *name, uid_t uid, gid_t gid)
 {
 	char		*path;
 	struct stat	 sb;
@@ -1491,6 +1495,18 @@ offline_enqueue(char *name)
 			_exit(1);
 		}
 
+		if (sb.st_uid != uid) {
+			log_warnx("warn: smtpd: file %s has bad uid %d",
+			    path, sb.st_uid);
+			_exit(1);
+		}
+
+		if (sb.st_gid != gid) {
+			log_warnx("warn: smtpd: file %s has bad gid %d",
+			    path, sb.st_gid);
+			_exit(1);
+		}
+
 		pw = getpwuid(sb.st_uid);
 		if (pw == NULL) {
 			log_warnx("warn: smtpd: getpwuid for uid %d failed",
@@ -1547,17 +1563,19 @@ offline_enqueue(char *name)
 }
 
 static int
-offline_add(char *path)
+offline_add(char *path, uid_t uid, gid_t gid)
 {
 	struct offline	*q;
 
 	if (offline_running < OFFLINE_QUEUEMAX)
 		/* skip queue */
-		return offline_enqueue(path);
+		return offline_enqueue(path, uid, gid);
 
 	q = malloc(sizeof(*q) + strlen(path) + 1);
 	if (q == NULL)
 		return (-1);
+	q->uid = uid;
+	q->gid = gid;
 	q->path = (char *)q + sizeof(*q);
 	memmove(q->path, path, strlen(path) + 1);
 	TAILQ_INSERT_TAIL(&offline_q, q, entry);
@@ -1576,7 +1594,8 @@ offline_done(void)
 		if ((q = TAILQ_FIRST(&offline_q)) == NULL)
 			break; /* all done */
 		TAILQ_REMOVE(&offline_q, q, entry);
-		offline_enqueue(q->path);
+		offline_enqueue(q->path, q->uid, q->gid);
+
 		free(q);
 	}
 }
--- a/smtpd/smtpd.h.orig	2018-01-10 05:06:40.000000000 -0800
+++ b/smtpd/smtpd.h	2020-02-24 15:20:09.043331085 -0800
@@ -128,8 +128,10 @@
 #define MTA_EXT_DSN		0x400
 
 
-#define P_NEWALIASES	0
-#define P_MAKEMAP	1
+#define P_SENDMAIL	0
+#define P_NEWALIASES	1
+#define P_MAKEMAP	2
+
 
 struct userinfo {
 	char username[SMTPD_VUSERNAME_SIZE];