Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: opend...@packages.debian.org Control: affects -1 + src:opendkim
(The same as #1056732, this time targeting oldstable) After sponsoring the maintainer David Bürgin I've offered them to tackle s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285) Before the upload, stable and sid were at the same version, namely 2.11.0~beta2-8, so the patch could been applied as is, without changes needed. Additional changes, not suitable for s-p-u have been dropped. The patch is authored by David Bürgin and they confirm that they have tested the patch and it indeeds fix the issue (quote from #1056285#19): > Hello Tobi, > > > A question to that: Can you elaborate a bit on the testing you have > > done to verify that this patch indeed fixes the vulnerability? > > (Asking, becasue unfortunatly there is not lot of information available > > e.g from the upstream issue and upstream seems to be generally very > > silent… > I developed the upstream patch, and so did do the necessary testing > locally. You can simply prepare a crafted message containing some > Authentication-Results headers and then see if the right ones get > deleted. (I've uploaded the package to the s-p-u queue already.) debdiff attached.
diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog --- opendkim-2.11.0~beta2/debian/changelog 2020-10-12 15:15:30.000000000 +0200 +++ opendkim-2.11.0~beta2/debian/changelog 2023-12-01 19:17:01.000000000 +0100 @@ -1,3 +1,13 @@ +opendkim (2.11.0~beta2-4+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the Security Team. + + [ David Bürgin ] + * Add patch "rev-ares-deletion.patch" for CVE-2022-48521: + Delete Authentication-Results headers in reverse (Closes: #1041107). + + -- Tobias Frost <t...@debian.org> Fri, 01 Dec 2023 19:17:01 +0100 + opendkim (2.11.0~beta2-4) unstable; urgency=medium * Update debhelper-compat to compatibility level 13. diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch --- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 1970-01-01 01:00:00.000000000 +0100 +++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 2023-12-01 19:11:21.000000000 +0100 @@ -0,0 +1,33 @@ +Description: Delete Authentication-Results headers in reverse (CVE-2022-48521) +Author: David Bürgin <dbuer...@gluet.ch> +Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189 + +--- a/opendkim/opendkim.c ++++ b/opendkim/opendkim.c +@@ -13651,9 +13651,16 @@ + return SMFIS_TEMPFAIL; + } + +- c = 0; ++ c = 1; ++ + for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next) + { ++ if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) ++ c++; ++ } ++ ++ for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev) ++ { + memset(ares, '\0', sizeof(struct authres)); + + if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) +@@ -13664,7 +13671,7 @@ + char *slash; + + /* remember index */ +- c++; ++ c--; + + /* parse the header */ + arstat = ares_parse((u_char *) hdr->hdr_val, diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series --- opendkim-2.11.0~beta2/debian/patches/series 2020-07-24 10:48:27.000000000 +0200 +++ opendkim-2.11.0~beta2/debian/patches/series 2023-12-01 19:14:10.000000000 +0100 @@ -4,3 +4,4 @@ fix-miltertest-eom-check-smtpreply.patch fix-genzone-subdomains.patch suppress-brackets-syslog.patch +rev-ares-deletion.patch
signature.asc
Description: PGP signature