Bug 29035 - opendmarc new security issues CVE-2019-20790, CVE-2020-12272, CVE-2020-12460
Summary: opendmarc new security issues CVE-2019-20790, CVE-2020-12272, CVE-2020-12460
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-30 02:56 CEST by David Walser
Modified: 2021-08-03 19:48 CEST (History)
4 users (show)

See Also:
Source RPM: opendmarc-1.3.2-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-05-30 02:56:49 CEST
Fedora has issued an advisory on May 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JHDKMCZGE3W4XBP76NLI2Q7IOZHXLD4A/

The issue is fixed upstream in 1.4.0.

Mageia 8 is also affected.
David Walser 2021-05-30 02:57:01 CEST

Severity: normal => major
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.4.0

Comment 1 Raphael Gertz 2021-05-30 04:15:02 CEST
I will try to update to version 1.4.1.1, but as they moved from sf to github, I have few adaptations to do.
Comment 2 Raphael Gertz 2021-05-30 04:16:03 CEST
Thank's for the bug report. I will do it asap in next few days.
Comment 3 David Walser 2021-05-31 23:52:49 CEST
Fedora has issued an advisory today (May 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/

The issues are fixed upstream in 1.4.1.

Status comment: Fixed upstream in 1.4.0 => Fixed upstream in 1.4.1
Summary: opendmarc new security issue CVE-2020-12460 => opendmarc new security issues CVE-2019-20790, CVE-2020-12272, CVE-2020-12460

Comment 4 Raphael Gertz 2021-07-28 12:06:07 CEST
OpenDMARC updated to version 1.4.1.1.

CVE+update to do for mga7.

Status: NEW => ASSIGNED

Comment 5 Raphael Gertz 2021-07-28 12:23:07 CEST
I did the update, but can't submit it to core/updates_testing

May an admin do it ?

$ mgarepo submit 7/opendmarc --define section=core/updates_testing -t 7
Fetching revision...
URL: svn+ssh://svn.mageia.org/svn/packages/updates/7/opendmarc
Commit: 1738023 | rapsys | Backport opendmarc version 1.4.1.1 in updates to fix bug ...
error: command failed: ssh pkgsubmit.mageia.org /usr/local/bin/submit_package -t 7 --define sid=814aecff-52e3-43b9-ba79-a3a7990852f9 --define section=core/updates_testing -r 1738023 svn+ssh://svn.mageia.org/svn/packages/updates/7/opendmarc
--2021-07-28 12:19:17--  http://binrepo.mageia.org//2983653fa076f3843f3ef064d58f35d39e21a3fe
Resolving binrepo.mageia.org (binrepo.mageia.org)... 2a02:2178:2:7::9, 212.85.158.153
Connecting to binrepo.mageia.org (binrepo.mageia.org)|2a02:2178:2:7::9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 426618 (417K) [application/x-tar]
Saving to: ‘/var/lib/schedbot/repsys/tmp/tmpwae7wjha/SOURCES/rel-opendmarc-1-4-1-1.tar.gz’

     0K .......... .......... .......... .......... .......... 12%  106M 0s
    50K .......... .......... .......... .......... .......... 24% 93.6M 0s
   100K .......... .......... .......... .......... .......... 36%  150M 0s
   150K .......... .......... .......... .......... .......... 48%  174M 0s
   200K .......... .......... .......... .......... .......... 60%  145M 0s
   250K .......... .......... .......... .......... .......... 72%  169M 0s
   300K .......... .......... .......... .......... .......... 84%  177M 0s
   350K .......... .......... .......... .......... .......... 96%  174M 0s
   400K .......... ......                                     100%  110M=0.003s

2021-07-28 12:19:17 (139 MB/s) - ‘/var/lib/schedbot/repsys/tmp/tmpwae7wjha/SOURCES/rel-opendmarc-1-4-1-1.tar.gz’ saved [426618/426618]

error: Failed to upload svn://svn.mageia.org/svn/packages/updates/7/opendmarc:
Executing perl -I/usr/share/mga-youri-submit/lib /usr/share/mga-youri-submit/bin/youri-submit --config /etc/youri/submit-todo.conf --define user=rapsys --define sid=814aecff-52e3-43b9-ba79-a3a7990852f9 --define section=core/updates_testing 7 /var/lib/schedbot/repsys/srpms/@1738023:opendmarc-1.4.1.1-1.mga7.src.rpm (sudo_user rapsys)
Initializing repository
Executing /usr/bin/rpmlint -f /usr/share/rpmlint/config /var/lib/schedbot/repsys/srpms/@1738023:opendmarc-1.4.1.1-1.mga7.src.rpm
/usr/share/rpmlint/Pkg.py:168: UnicodeWarning: decode() called on unicode string, see https://bugzilla.redhat.com/show_bug.cgi?id=1693751
  s.decode('UTF-8')
Submission errors, aborting:
- opendmarc-1.4.1.1-1.mga7.src:
 - FREEZE: repository 7 section core/updates_testing is frozen, you can still submit your packages in testing
To do so use your.devel --define section=<section> 7 <package 1> <package 2> ... <package n>
Comment 6 Raphael Gertz 2021-07-28 12:44:26 CEST
I have uploaded a updated package for Mageia 7.

You can test this by installing opendmarc.

Suggested advisory:
========================

Updated opendmarc packages fix security vulnerabilities:

Opendmarc before version 1.4.0 is vulnerable to the following CVEs :
CVE-2019-20790, CVE-2020-12272, CVE-2020-12460

This updated version 1.4.1.1 is not concerned by vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
https://github.com/trusteddomainproject/OpenDMARC/issues/111
========================

Updated packages in core/updates_testing:
========================
opendmarc-1.4.1.1-1.mga7
lib(64)opendmarc2-1.4.1.1-1.mga7
lib(64)opendmarc-devel-1.4.1.1-1.mga7

Source RPMs: 
opendmarc-1.4.1.1-1.mga7.src.rpm
Comment 7 Raphael Gertz 2021-07-28 12:52:06 CEST
I have uploaded a updated package for Mageia 8.

You can test this by installing opendmarc.

Suggested advisory:
========================

Updated opendmarc packages fix security vulnerabilities:

Opendmarc before version 1.4.0 is vulnerable to the following CVEs :
CVE-2019-20790, CVE-2020-12272, CVE-2020-12460

This updated version 1.4.1.1 is not concerned by vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
https://github.com/trusteddomainproject/OpenDMARC/issues/111
========================

Updated packages in core/updates_testing:
========================
opendmarc-1.4.1.1-1.mga8
lib(64)opendmarc2-1.4.1.1-1.mga8
lib(64)opendmarc-devel-1.4.1.1-1.mga8

Source RPMs: 
opendmarc-1.4.1.1-1.mga8.src.rpm
Comment 8 Raphael Gertz 2021-07-28 12:52:12 CEST
Fetching revision...
URL: svn+ssh://svn.mageia.org/svn/packages/updates/8/opendmarc
Commit: 1738028 | rapsys | Update to version 1.4.1.1
Package submitted!
Nicolas Lécureuil 2021-07-28 14:13:10 CEST

Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.4.1 => (none)
Version: Cauldron => 8
CC: (none) => mageia
Assignee: mageia => qa-bugs

Comment 9 David Walser 2021-07-28 14:13:36 CEST
Thanks Raphael!  Mageia 7 is EOL and wasn't affected.

CC: (none) => mageia

Comment 10 Aurelien Oudelet 2021-07-28 20:50:43 CEST
Advisory:
========================

Updated opendmarc packages fix security vulnerabilities:

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows
attacks that bypass SPF and DMARC authentication in situations where the HELO
field is inconsistent with the MAIL FROM field (CVE-2019-20790).

OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication
results to provide false information about the domain that originated an e-mail
message. This is caused by incorrect parsing and interpretation of SPF/DKIM
authentication results, as demonstrated by the example.net(.example.com
substring (CVE-2020-12272).

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null
termination in the function opendmarc_xml_parse that can result in a one-byte
heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate
report. This can cause remote memory corruption when a '\0' byte overwrites the
heap metadata of the next chunk and its PREV_INUSE flag (CVE-2020-12460).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29035
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20790
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
 - https://github.com/trusteddomainproject/OpenDMARC/issues/111
========================

Updated packages in core/updates_testing:
========================
opendmarc-1.4.1.1-1.mga8
lib(64)opendmarc2-1.4.1.1-1.mga8
lib(64)opendmarc-devel-1.4.1.1-1.mga8

from SRPM:
opendmarc-1.4.1.1-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 11 Herman Viaene 2021-08-03 16:38:37 CEST
MGA8-64 Plasma on Lenovo B50.
No installation issues.
Ref https://www.linuxbabe.com/mail-server/opendmarc-postfix-ubuntu for some tests.
$ dig +short txt_dmarc.edpnet.be
212.71.0.99
$ opendmarc-check edpnet.be
opendmarc-check: opendmarc_policy_query_dmarc(edpnet.be): Looked up domain lacked a DMARC record

$ dig +short txt_dmarc.facebook.com
$ opendmarc-check paypal.com
DMARC record for paypal.com:
        Sample percentage: 100
        DKIM alignment: relaxed
        SPF alignment: relaxed
        Domain policy: reject
        Subdomain policy: unspecified
        Aggregate report URIs:
                mailto:d@rua.agari.com
        Failure report URIs:
                mailto:d@ruf.agari.com
 The site goes on to configure opendmarc for an own mail server, but I do not play in that league.
My tests look OK for me.

CC: (none) => herman.viaene

Comment 12 Herman Viaene 2021-08-03 16:41:39 CEST
Forgot to include first:
# systemctl -l status opendmarc
● opendmarc.service - Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter
     Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:opendmarc(8)
             man:opendmarc.conf(5)
             man:opendmarc-import(8)
             man:opendmarc-reports(8)
             http://www.trusteddomain.org/opendmarc/

# systemctl -l start opendmarc

# systemctl -l status opendmarc
● opendmarc.service - Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter
     Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2021-08-03 16:20:21 CEST; 4s ago
       Docs: man:opendmarc(8)
             man:opendmarc.conf(5)
             man:opendmarc-import(8)
             man:opendmarc-reports(8)
             http://www.trusteddomain.org/opendmarc/
    Process: 17153 ExecStart=/usr/sbin/opendmarc $OPTIONS (code=exited, status=0/SUCCESS)
    Process: 17155 ExecStartPost=/usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/opendmarc.conf (code=exited, status=0/SUCCESS)
   Main PID: 17154 (opendmarc)
      Tasks: 3 (limit: 9402)
     Memory: 2.0M
        CPU: 19ms
     CGroup: /system.slice/opendmarc.service
             └─17154 /usr/sbin/opendmarc

aug 03 16:20:21 mach5.hviaene.thuis systemd[1]: Starting Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter...
aug 03 16:20:21 mach5.hviaene.thuis systemd[1]: Started Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter.
Comment 13 Raphael Gertz 2021-08-03 19:48:46 CEST
OpenDMARC config if you need /etc/opendmarc.conf :
BaseDirectory /run/opendmarc
HistoryFile /run/opendmarc/opendmarc.dat
PidFile /run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix/effective_tld_names.dat
Socket local:/var/spool/postfix/run/opendmarc/opendmarc.sock
UMask 002

And in /etc/postfix/main.cf :
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, per
mit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain

virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_transport = lmtp:unix:private/dovecot-lmtp

smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 6

And in /etc/postfix/virtual :
contact@example.com             username

And in /etc/dovecot/local.conf :
protocols = imap lmtp sieve
disable_plaintext_auth = yes
auth_mechanisms = plain login
mail_location = maildir:/var/mail/%u
auth_username_format = %Ln
service auth {
  # Postfix private auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
  # Auth process is run as this user.
  #user = $default_internal_user
}
service lmtp {
  # Dovecot private lmtp
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0660
    user = postfix
    group = postfix
  }
}

Perms on /var/spool/mail :
u=rwX,g=srvX,o=rx + root:mail

Perms on /var/spool/mail/username :
u=rwX,g=S,o= + username:mail

DNS records example.com :
example.com.	0	SPF	"v=spf1 a mx a:server.example.com a:office.example.com a:home.example.com ~all"
_dmarc.example.com.	0	TXT	"v=DMARC1;p=quarantine;pct=100;adkim=s;aspf=s"
d._domainkey.example.com.	0	DKIM	v=DKIM1;k=rsa;p=QkFTRTY1U0lHTkFUVVJFSEVSRQo=;

Opendkim config in /etc/opendkim.conf :
PidFile /run/opendkim/opendkim.pid
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  local:/var/spool/postfix/run/opendkim/opendkim.sock
Umask   002
SendReports     yes
SoftwareHeader  no
Canonicalization        relaxed/relaxed
Selector        default
MinimumKeyBits  1024
KeyFile /etc/opendkim/keys/default.private
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
OversignHeaders From

Config in /etc/opendkim/SigningTable :
*@example.com d._domainkey.example.com

Config in /etc/opendkim/KeyTable :
d._domainkey.example.com example.com:d:/etc/opendkim/keys/example.com/d.private

Generate key with :
# /usr/sbin/opendkim-genkey --bits=4096 --directory=/etc/opendkim/keys/example.com --domain=example.com --selector=d

Watch out with key size, I remember having trouble to set it up in my domain provider with huge sizes...

Key is fake, i just base64 encoded BASE65SIGNATUREHERE :)

If you see a security issue, tell me :p

Brest regards

Note You need to log in before you can comment on or make changes to this bug.