Debian Bug report logs - #966464
opendmarc: CVE-2020-12460

version graph

Package: src:opendmarc; Maintainer for src:opendmarc is Scott Kitterman <scott@kitterman.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 28 Jul 2020 19:24:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions opendmarc/1.3.2-6+deb10u1, opendmarc/1.4.0~beta1+dfsg-2, opendmarc/1.3.2-6

Fixed in version opendmarc/1.4.0~beta1+dfsg-3

Done: =?utf-8?q?David_B=C3=BCrgin?= <dbuergin@gluet.ch>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/trusteddomainproject/OpenDMARC/issues/64

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, Scott Kitterman <scott@kitterman.com>:
Bug#966464; Package src:opendmarc. (Tue, 28 Jul 2020 19:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, Scott Kitterman <scott@kitterman.com>. (Tue, 28 Jul 2020 19:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: opendmarc: CVE-2020-12460
Date: Tue, 28 Jul 2020 21:20:53 +0200
Source: opendmarc
Version: 1.4.0~beta1+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/trusteddomainproject/OpenDMARC/issues/64
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Control: found -1 1.3.2-6+deb10u1
Control: found -1 1.3.2-6

Hi,

The following vulnerability was published for opendmarc.

CVE-2020-12460[0]:
| OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper
| null termination in the function opendmarc_xml_parse that can result
| in a one-byte heap overflow in opendmarc_xml when parsing a specially
| crafted DMARC aggregate report. This can cause remote memory
| corruption when a '\0' byte overwrites the heap metadata of the next
| chunk and its PREV_INUSE flag.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-12460
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
[1] https://github.com/trusteddomainproject/OpenDMARC/issues/64

Regards,
Salvatore

Marked as found in versions opendmarc/1.3.2-6+deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 28 Jul 2020 19:24:04 GMT) (full text, mbox, link).

Marked as found in versions opendmarc/1.3.2-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 28 Jul 2020 19:24:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 14 Sep 2020 17:27:04 GMT) (full text, mbox, link).

Reply sent to David Bürgin <dbuergin@gluet.ch>:
You have taken responsibility. (Sat, 19 Sep 2020 08:39:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 19 Sep 2020 08:39:05 GMT) (full text, mbox, link).

Message #16 received at 966464-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 966464-close@bugs.debian.org
Subject: Bug#966464: fixed in opendmarc 1.4.0~beta1+dfsg-3
Date: Sat, 19 Sep 2020 08:37:57 +0000
Source: opendmarc
Source-Version: 1.4.0~beta1+dfsg-3
Done: =?utf-8?q?David_B=C3=BCrgin?= <dbuergin@gluet.ch>

We believe that the bug you reported is fixed in the latest version of
opendmarc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 966464@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Bürgin <dbuergin@gluet.ch> (supplier of updated opendmarc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 19 Sep 2020 08:40:47 +0200
Source: opendmarc
Architecture: source
Version: 1.4.0~beta1+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Scott Kitterman <scott@kitterman.com>
Changed-By: David Bürgin <dbuergin@gluet.ch>
Closes: 965284 966464
Changes:
 opendmarc (1.4.0~beta1+dfsg-3) unstable; urgency=high
 .
   * Cherry-pick patch for CVE-2020-12460 from upstream:
     - Add proper null-termination in opendmarc_xml_parse (Closes: #966464)
   * Shut down debconf with db_stop in opendmarc.postinst,
     patch by "B.R.S.Roso" <rici@roso93.net> (Closes: #965284)
   * Add missing DEP-3 headers tracking upstream bug in d/patches
Checksums-Sha1:
 e8af16bea41c757f86be3b801b10c32333bed90c 2178 opendmarc_1.4.0~beta1+dfsg-3.dsc
 862b4af23a3cfa4510ad7c43e2e16d2bc8d21712 26684 opendmarc_1.4.0~beta1+dfsg-3.debian.tar.xz
Checksums-Sha256:
 3f605f02ba0db8557c7a2e4cfd1b134cbdc3a0e0fdeeba0757a699d3a420d83d 2178 opendmarc_1.4.0~beta1+dfsg-3.dsc
 18ca960698b045ad43455f6ed76dc452eea3f18ca1f9901cc744f13105504e4d 26684 opendmarc_1.4.0~beta1+dfsg-3.debian.tar.xz
Files:
 bb19463587886163cad4c97a896cb345 2178 mail optional opendmarc_1.4.0~beta1+dfsg-3.dsc
 81ae45494833be2bcf0b1d930b197fd5 26684 mail optional opendmarc_1.4.0~beta1+dfsg-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZaEt9P4xrWusTXauM1X01jtYIcwFAl9lwa0ACgkQM1X01jtY
Icz1oxAAsptLm9qoxi4B6A7P+sYNyD8secV1S8I4l2wN6dk03c+dPG2IomjGRtJn
6KQA/1CjnXnmf3O2TDs7rP/wLVCrOwyXxfwFChOKD7CxJVgOwnRBanklKx4M+k0I
+p2RpQQJ8Nf9IhHfX0PwaDJRk488pSNfrqHLG7SlKuQmG7WGB8NctyrBIAjTnWOJ
o7rYNUP4DmXXwPIyk3/p3dOuXRvy0s0p2XuT778OEi/l7tkAjlqLO6ndDBHDaTNY
flCs2dHTXPQAqJAbcfe/jJgIaCL/S83qroBWztvve8Kx+L/z63X8aQG0fPgbUdoW
bBNm7P2+9MsahCWgemsjPJVXcdw+D9Np8TbaeSaAh+2/dxQlcTrheblPnIgd5ZnI
Qw9qnHwAOcPh3roC32UrKPr6aCoDSvTnTYoBIHEaj/NXF7zZpRivZiuTvsRnXtaM
+fHQ1tw/0n7Q201nVBQV3/iHSuWNE29uoilLWzHkztyBUe/puPhNgQsdsDCsUjQh
o3q3rQFH7bo9gXSSxPumj/o69+oLHpdvJrHkxecsUC/I3xLI+2Vw5JbCBDf7AyHA
UdybT7thrdcv2ORNOlqDJcbuW+qh1blizQS+aKJAPyVwbR4l6pZfPWsLgXhf2kUX
5bkKRpCNntvEngwoVm7J+Nh8vj59tMRzWZaG6LgI+DzdVLbTFu8=
=Ij71
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 19 Oct 2020 07:26:41 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 8 03:09:43 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.