Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: opend...@packages.debian.org Control: affects -1 + src:opendkim
After sponsoring the maintainer David Bürgin I've offered them to tackle s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285) Before the upload, stable and sid were at the same version, namely 2.11.0~beta2-8, so the patch could been applied as is, without changes needed. Additional changes, not suitable for s-p-u have been dropped. The patch is authored by David Bürgin and they confirm that they have tested the patch and it indeeds fix the issue (quote from #1056285#19): > Hello Tobi, > > > A question to that: Can you elaborate a bit on the testing you have > > done to verify that this patch indeed fixes the vulnerability? > > (Asking, becasue unfortunatly there is not lot of information available > > e.g from the upstream issue and upstream seems to be generally very > > silent… > I developed the upstream patch, and so did do the necessary testing > locally. You can simply prepare a crafted message containing some > Authentication-Results headers and then see if the right ones get > deleted. (I've uploaded the package to the s-p-u queue already.) debdiff attached. -- Cheers, tobi
diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog --- opendkim-2.11.0~beta2/debian/changelog 2022-12-20 09:10:44.000000000 +0100 +++ opendkim-2.11.0~beta2/debian/changelog 2023-11-25 17:19:13.000000000 +0100 @@ -1,3 +1,13 @@ +opendkim (2.11.0~beta2-8+deb12u1) bookworm; urgency=medium + + * Non-Maintainer upload by the security team. + + [ David Bürgin ] + * Add patch "rev-ares-deletion.patch" for CVE-2022-48521: + Delete Authentication-Results headers in reverse (Closes: #1041107). + + -- Tobias Frost <t...@debian.org> Sat, 25 Nov 2023 17:19:13 +0100 + opendkim (2.11.0~beta2-8) unstable; urgency=medium [ David Bürgin ] diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch --- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 1970-01-01 01:00:00.000000000 +0100 +++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 2023-11-25 17:19:13.000000000 +0100 @@ -0,0 +1,33 @@ +Description: Delete Authentication-Results headers in reverse (CVE-2022-48521) +Author: David Bürgin <dbuer...@gluet.ch> +Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189 + +--- a/opendkim/opendkim.c ++++ b/opendkim/opendkim.c +@@ -13651,9 +13651,16 @@ + return SMFIS_TEMPFAIL; + } + +- c = 0; ++ c = 1; ++ + for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next) + { ++ if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) ++ c++; ++ } ++ ++ for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev) ++ { + memset(ares, '\0', sizeof(struct authres)); + + if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) +@@ -13664,7 +13671,7 @@ + char *slash; + + /* remember index */ +- c++; ++ c--; + + /* parse the header */ + arstat = ares_parse((u_char *) hdr->hdr_val, diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series --- opendkim-2.11.0~beta2/debian/patches/series 2022-12-12 14:41:20.000000000 +0100 +++ opendkim-2.11.0~beta2/debian/patches/series 2023-11-25 17:19:13.000000000 +0100 @@ -12,3 +12,4 @@ conf_refcnt.patch lua-5.3.patch fix-RSA_Sign-call.patch +rev-ares-deletion.patch
signature.asc
Description: PGP signature
