untrusted comment: verify with openbsd-66-base.pub RWSvK/c+cFe24PQlSW4IqzXO+O//TGxzhpNhtvf3OZuAuk9HJESyiBCLgdRXom7PLKrqj6GlTDphA7DzYR5zcj78+u0yIkgpEAE= OpenBSD 6.6 errata 021, February 24, 2020: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. Apply by doing: signify -Vep /etc/signify/openbsd-66-base.pub -x \ 021_smtpd_envelope.patch.sig -m - | (cd /usr/src && patch -p0) And then rebuild and install smtpd: cd /usr/src/usr.sbin/smtpd make obj make make install Index: usr.sbin/smtpd/makemap.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/makemap.c,v retrieving revision 1.72 diff -u -r1.72 makemap.c --- usr.sbin/smtpd/makemap.c 28 Dec 2018 11:40:29 -0000 1.72 +++ usr.sbin/smtpd/makemap.c 20 Feb 2020 01:00:42 -0000 @@ -83,8 +83,13 @@ int ch, dbputs = 0, Uflag = 0; DBTYPE dbtype = DB_HASH; char *p; + gid_t gid; int fd = -1; + gid = getgid(); + if (setresgid(gid, gid, gid) == -1) + err(1, "setresgid"); + if ((env = config_default()) == NULL) err(1, NULL); @@ -161,9 +166,9 @@ errx(1, "database name too long"); } - execlp("makemap", "makemap", "-d", argv[0], "-o", dbname, "-", - (char *)NULL); - err(1, "execlp"); + execl(PATH_MAKEMAP, "makemap", "-d", argv[0], "-o", dbname, + "-", (char *)NULL); + err(1, "execl"); } if (mode == P_NEWALIASES) { Index: usr.sbin/smtpd/mta_session.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v retrieving revision 1.122.2.1 diff -u -r1.122.2.1 mta_session.c --- usr.sbin/smtpd/mta_session.c 28 Jan 2020 21:37:29 -0000 1.122.2.1 +++ usr.sbin/smtpd/mta_session.c 20 Feb 2020 01:00:42 -0000 @@ -1177,7 +1177,7 @@ if (cont) { if (s->replybuf[0] == '\0') (void)strlcat(s->replybuf, line, sizeof s->replybuf); - else { + else if (len > 4) { line = line + 4; if (isdigit((int)*line) && *(line + 1) == '.' && isdigit((int)*line+2) && *(line + 3) == '.' && @@ -1192,7 +1192,9 @@ /* last line of a reply, check if we're on a continuation to parse out status and ESC. * if we overflow reply buffer or are not on continuation, log entire last line. */ - if (s->replybuf[0] != '\0') { + if (s->replybuf[0] == '\0') + (void)strlcat(s->replybuf, line, sizeof s->replybuf); + else if (len > 4) { p = line + 4; if (isdigit((int)*p) && *(p + 1) == '.' && isdigit((int)*p+2) && *(p + 3) == '.' && @@ -1201,8 +1203,6 @@ if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf) (void)strlcpy(s->replybuf, line, sizeof s->replybuf); } - else - (void)strlcpy(s->replybuf, line, sizeof s->replybuf); if (s->state == MTA_QUIT) { log_info("%016"PRIx64" mta disconnected reason=quit messages=%zu", Index: usr.sbin/smtpd/smtpctl.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.c,v retrieving revision 1.165 diff -u -r1.165 smtpctl.c --- usr.sbin/smtpd/smtpctl.c 23 Jul 2019 08:11:10 -0000 1.165 +++ usr.sbin/smtpd/smtpctl.c 20 Feb 2020 01:00:42 -0000 @@ -1125,7 +1125,7 @@ */ for (i = 1; i < argc; i++) if (strncmp(argv[i], "-bi", 3) == 0) - exit(makemap(P_NEWALIASES, argc, argv)); + exit(makemap(P_SENDMAIL, argc, argv)); if (!srv_connect()) offlinefp = offline_file(); Index: usr.sbin/smtpd/smtpd-defines.h =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd-defines.h,v retrieving revision 1.10 diff -u -r1.10 smtpd-defines.h --- usr.sbin/smtpd/smtpd-defines.h 27 Dec 2018 15:41:50 -0000 1.10 +++ usr.sbin/smtpd/smtpd-defines.h 20 Feb 2020 01:00:42 -0000 @@ -37,6 +37,7 @@ #define SMTPD_QUEUE_USER "_smtpq" #define SMTPD_QUEUE_GROUP "_smtpq" #define PATH_SPOOL "/var/spool/smtpd" +#define PATH_MAKEMAP "/usr/sbin/makemap" #define SUBADDRESSING_DELIMITER "+" Index: usr.sbin/smtpd/smtpd.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.c,v retrieving revision 1.325 diff -u -r1.325 smtpd.c --- usr.sbin/smtpd/smtpd.c 3 Sep 2019 04:48:20 -0000 1.325 +++ usr.sbin/smtpd/smtpd.c 20 Feb 2020 01:00:42 -0000 @@ -81,9 +81,9 @@ static int imsg_wait(struct imsgbuf *, struct imsg *, int); static void offline_scan(int, short, void *); -static int offline_add(char *); +static int offline_add(char *, uid_t, gid_t); static void offline_done(void); -static int offline_enqueue(char *); +static int offline_enqueue(char *, uid_t, gid_t); static void purge_task(void); static int parent_auth_user(const char *, const char *); @@ -112,6 +112,8 @@ struct offline { TAILQ_ENTRY(offline) entry; + uid_t uid; + gid_t gid; char *path; }; @@ -1550,7 +1552,8 @@ continue; } - if (offline_add(e->fts_name)) { + if (offline_add(e->fts_name, e->fts_statp->st_uid, + e->fts_statp->st_gid)) { log_warnx("warn: smtpd: " "could not add offline message %s", e->fts_name); continue; @@ -1570,7 +1573,7 @@ } static int -offline_enqueue(char *name) +offline_enqueue(char *name, uid_t uid, gid_t gid) { char *path; struct stat sb; @@ -1633,6 +1636,18 @@ _exit(1); } + if (sb.st_uid != uid) { + log_warnx("warn: smtpd: file %s has bad uid %d", + path, sb.st_uid); + _exit(1); + } + + if (sb.st_gid != gid) { + log_warnx("warn: smtpd: file %s has bad gid %d", + path, sb.st_gid); + _exit(1); + } + pw = getpwuid(sb.st_uid); if (pw == NULL) { log_warnx("warn: smtpd: getpwuid for uid %d failed", @@ -1689,17 +1704,19 @@ } static int -offline_add(char *path) +offline_add(char *path, uid_t uid, gid_t gid) { struct offline *q; if (offline_running < OFFLINE_QUEUEMAX) /* skip queue */ - return offline_enqueue(path); + return offline_enqueue(path, uid, gid); q = malloc(sizeof(*q) + strlen(path) + 1); if (q == NULL) return (-1); + q->uid = uid; + q->gid = gid; q->path = (char *)q + sizeof(*q); memmove(q->path, path, strlen(path) + 1); TAILQ_INSERT_TAIL(&offline_q, q, entry); @@ -1718,7 +1735,7 @@ if ((q = TAILQ_FIRST(&offline_q)) == NULL) break; /* all done */ TAILQ_REMOVE(&offline_q, q, entry); - offline_enqueue(q->path); + offline_enqueue(q->path, q->uid, q->gid); free(q); } } Index: usr.sbin/smtpd/smtpd.h =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v retrieving revision 1.641 diff -u -r1.641 smtpd.h --- usr.sbin/smtpd/smtpd.h 30 Sep 2019 08:31:41 -0000 1.641 +++ usr.sbin/smtpd/smtpd.h 20 Feb 2020 01:00:42 -0000 @@ -98,8 +98,9 @@ #define MTA_EXT_DSN 0x400 -#define P_NEWALIASES 0 -#define P_MAKEMAP 1 +#define P_SENDMAIL 0 +#define P_NEWALIASES 1 +#define P_MAKEMAP 2 #define CERT_ERROR -1 #define CERT_OK 0