Bug 29035 - opendmarc new security issues CVE-2019-20790, CVE-2020-12272, CVE-2020-12460
Summary: opendmarc new security issues CVE-2019-20790, CVE-2020-12272, CVE-2020-12460
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-30 02:56 CEST by David Walser
Modified: 2021-10-06 21:43 CEST (History)
7 users (show)

See Also:
Source RPM: opendmarc-1.3.2-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-30 02:56:49 CEST 
Fedora has issued an advisory on May 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JHDKMCZGE3W4XBP76NLI2Q7IOZHXLD4A/

The issue is fixed upstream in 1.4.0.

Mageia 8 is also affected.
David Walser 2021-05-30 02:57:01 CEST

Status comment: (none) => Fixed upstream in 1.4.0
Severity: normal => major
Whiteboard: (none) => MGA8TOO

Comment 1 Raphael Gertz 2021-05-30 04:15:02 CEST 
I will try to update to version 1.4.1.1, but as they moved from sf to github, I have few adaptations to do.
Comment 2 Raphael Gertz 2021-05-30 04:16:03 CEST 
Thank's for the bug report. I will do it asap in next few days.
Comment 3 David Walser 2021-05-31 23:52:49 CEST 
Fedora has issued an advisory today (May 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/

The issues are fixed upstream in 1.4.1.

Summary: opendmarc new security issue CVE-2020-12460 => opendmarc new security issues CVE-2019-20790, CVE-2020-12272, CVE-2020-12460
Status comment: Fixed upstream in 1.4.0 => Fixed upstream in 1.4.1

Comment 4 Raphael Gertz 2021-07-28 12:06:07 CEST 
OpenDMARC updated to version 1.4.1.1.

CVE+update to do for mga7.

Status: NEW => ASSIGNED

Comment 5 Raphael Gertz 2021-07-28 12:23:07 CEST 
I did the update, but can't submit it to core/updates_testing

May an admin do it ?

$ mgarepo submit 7/opendmarc --define section=core/updates_testing -t 7
Fetching revision...
URL: svn+ssh://svn.mageia.org/svn/packages/updates/7/opendmarc
Commit: 1738023 | rapsys | Backport opendmarc version 1.4.1.1 in updates to fix bug ...
error: command failed: ssh pkgsubmit.mageia.org /usr/local/bin/submit_package -t 7 --define sid=814aecff-52e3-43b9-ba79-a3a7990852f9 --define section=core/updates_testing -r 1738023 svn+ssh://svn.mageia.org/svn/packages/updates/7/opendmarc
--2021-07-28 12:19:17--  http://binrepo.mageia.org//2983653fa076f3843f3ef064d58f35d39e21a3fe
Resolving binrepo.mageia.org (binrepo.mageia.org)... 2a02:2178:2:7::9, 212.85.158.153
Connecting to binrepo.mageia.org (binrepo.mageia.org)|2a02:2178:2:7::9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 426618 (417K) [application/x-tar]
Saving to: ‘/var/lib/schedbot/repsys/tmp/tmpwae7wjha/SOURCES/rel-opendmarc-1-4-1-1.tar.gz’

     0K .......... .......... .......... .......... .......... 12%  106M 0s
    50K .......... .......... .......... .......... .......... 24% 93.6M 0s
   100K .......... .......... .......... .......... .......... 36%  150M 0s
   150K .......... .......... .......... .......... .......... 48%  174M 0s
   200K .......... .......... .......... .......... .......... 60%  145M 0s
   250K .......... .......... .......... .......... .......... 72%  169M 0s
   300K .......... .......... .......... .......... .......... 84%  177M 0s
   350K .......... .......... .......... .......... .......... 96%  174M 0s
   400K .......... ......                                     100%  110M=0.003s

2021-07-28 12:19:17 (139 MB/s) - ‘/var/lib/schedbot/repsys/tmp/tmpwae7wjha/SOURCES/rel-opendmarc-1-4-1-1.tar.gz’ saved [426618/426618]

error: Failed to upload svn://svn.mageia.org/svn/packages/updates/7/opendmarc:
Executing perl -I/usr/share/mga-youri-submit/lib /usr/share/mga-youri-submit/bin/youri-submit --config /etc/youri/submit-todo.conf --define user=rapsys --define sid=814aecff-52e3-43b9-ba79-a3a7990852f9 --define section=core/updates_testing 7 /var/lib/schedbot/repsys/srpms/@1738023:opendmarc-1.4.1.1-1.mga7.src.rpm (sudo_user rapsys)
Initializing repository
Executing /usr/bin/rpmlint -f /usr/share/rpmlint/config /var/lib/schedbot/repsys/srpms/@1738023:opendmarc-1.4.1.1-1.mga7.src.rpm
/usr/share/rpmlint/Pkg.py:168: UnicodeWarning: decode() called on unicode string, see https://bugzilla.redhat.com/show_bug.cgi?id=1693751
  s.decode('UTF-8')
Submission errors, aborting:
- opendmarc-1.4.1.1-1.mga7.src:
 - FREEZE: repository 7 section core/updates_testing is frozen, you can still submit your packages in testing
To do so use your.devel --define section=<section> 7 <package 1> <package 2> ... <package n>
Comment 6 Raphael Gertz 2021-07-28 12:44:26 CEST 
I have uploaded a updated package for Mageia 7.

You can test this by installing opendmarc.

Suggested advisory:
========================

Updated opendmarc packages fix security vulnerabilities:

Opendmarc before version 1.4.0 is vulnerable to the following CVEs :
CVE-2019-20790, CVE-2020-12272, CVE-2020-12460

This updated version 1.4.1.1 is not concerned by vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
https://github.com/trusteddomainproject/OpenDMARC/issues/111
========================

Updated packages in core/updates_testing:
========================
opendmarc-1.4.1.1-1.mga7
lib(64)opendmarc2-1.4.1.1-1.mga7
lib(64)opendmarc-devel-1.4.1.1-1.mga7

Source RPMs: 
opendmarc-1.4.1.1-1.mga7.src.rpm
Comment 7 Raphael Gertz 2021-07-28 12:52:06 CEST 
I have uploaded a updated package for Mageia 8.

You can test this by installing opendmarc.

Suggested advisory:
========================

Updated opendmarc packages fix security vulnerabilities:

Opendmarc before version 1.4.0 is vulnerable to the following CVEs :
CVE-2019-20790, CVE-2020-12272, CVE-2020-12460

This updated version 1.4.1.1 is not concerned by vulnerability.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
https://github.com/trusteddomainproject/OpenDMARC/issues/111
========================

Updated packages in core/updates_testing:
========================
opendmarc-1.4.1.1-1.mga8
lib(64)opendmarc2-1.4.1.1-1.mga8
lib(64)opendmarc-devel-1.4.1.1-1.mga8

Source RPMs: 
opendmarc-1.4.1.1-1.mga8.src.rpm
Comment 8 Raphael Gertz 2021-07-28 12:52:12 CEST 
Fetching revision...
URL: svn+ssh://svn.mageia.org/svn/packages/updates/8/opendmarc
Commit: 1738028 | rapsys | Update to version 1.4.1.1
Package submitted!
Nicolas Lécureuil 2021-07-28 14:13:10 CEST

Status comment: Fixed upstream in 1.4.1 => (none)
Version: Cauldron => 8
CC: (none) => mageia
Assignee: mageia => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 9 David Walser 2021-07-28 14:13:36 CEST 
Thanks Raphael!  Mageia 7 is EOL and wasn't affected.

CC: (none) => mageia

Comment 10 Aurelien Oudelet 2021-07-28 20:50:43 CEST 
Advisory:
========================

Updated opendmarc packages fix security vulnerabilities:

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows
attacks that bypass SPF and DMARC authentication in situations where the HELO
field is inconsistent with the MAIL FROM field (CVE-2019-20790).

OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication
results to provide false information about the domain that originated an e-mail
message. This is caused by incorrect parsing and interpretation of SPF/DKIM
authentication results, as demonstrated by the example.net(.example.com
substring (CVE-2020-12272).

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null
termination in the function opendmarc_xml_parse that can result in a one-byte
heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate
report. This can cause remote memory corruption when a '\0' byte overwrites the
heap metadata of the next chunk and its PREV_INUSE flag (CVE-2020-12460).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29035
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20790
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
 - https://github.com/trusteddomainproject/OpenDMARC/issues/111
========================

Updated packages in core/updates_testing:
========================
opendmarc-1.4.1.1-1.mga8
lib(64)opendmarc2-1.4.1.1-1.mga8
lib(64)opendmarc-devel-1.4.1.1-1.mga8

from SRPM:
opendmarc-1.4.1.1-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 11 Herman Viaene 2021-08-03 16:38:37 CEST 
MGA8-64 Plasma on Lenovo B50.
No installation issues.
Ref https://www.linuxbabe.com/mail-server/opendmarc-postfix-ubuntu for some tests.
$ dig +short txt_dmarc.edpnet.be
212.71.0.99
$ opendmarc-check edpnet.be
opendmarc-check: opendmarc_policy_query_dmarc(edpnet.be): Looked up domain lacked a DMARC record

$ dig +short txt_dmarc.facebook.com
$ opendmarc-check paypal.com
DMARC record for paypal.com:
        Sample percentage: 100
        DKIM alignment: relaxed
        SPF alignment: relaxed
        Domain policy: reject
        Subdomain policy: unspecified
        Aggregate report URIs:
                mailto:d@rua.agari.com
        Failure report URIs:
                mailto:d@ruf.agari.com
 The site goes on to configure opendmarc for an own mail server, but I do not play in that league.
My tests look OK for me.

CC: (none) => herman.viaene

Comment 12 Herman Viaene 2021-08-03 16:41:39 CEST 
Forgot to include first:
# systemctl -l status opendmarc
● opendmarc.service - Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter
     Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:opendmarc(8)
             man:opendmarc.conf(5)
             man:opendmarc-import(8)
             man:opendmarc-reports(8)
             http://www.trusteddomain.org/opendmarc/

# systemctl -l start opendmarc

# systemctl -l status opendmarc
● opendmarc.service - Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter
     Loaded: loaded (/usr/lib/systemd/system/opendmarc.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2021-08-03 16:20:21 CEST; 4s ago
       Docs: man:opendmarc(8)
             man:opendmarc.conf(5)
             man:opendmarc-import(8)
             man:opendmarc-reports(8)
             http://www.trusteddomain.org/opendmarc/
    Process: 17153 ExecStart=/usr/sbin/opendmarc $OPTIONS (code=exited, status=0/SUCCESS)
    Process: 17155 ExecStartPost=/usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/opendmarc.conf (code=exited, status=0/SUCCESS)
   Main PID: 17154 (opendmarc)
      Tasks: 3 (limit: 9402)
     Memory: 2.0M
        CPU: 19ms
     CGroup: /system.slice/opendmarc.service
             └─17154 /usr/sbin/opendmarc

aug 03 16:20:21 mach5.hviaene.thuis systemd[1]: Starting Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter...
aug 03 16:20:21 mach5.hviaene.thuis systemd[1]: Started Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter.
Comment 13 Raphael Gertz 2021-08-03 19:48:46 CEST 
OpenDMARC config if you need /etc/opendmarc.conf :
BaseDirectory /run/opendmarc
HistoryFile /run/opendmarc/opendmarc.dat
PidFile /run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix/effective_tld_names.dat
Socket local:/var/spool/postfix/run/opendmarc/opendmarc.sock
UMask 002

And in /etc/postfix/main.cf :
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, per
mit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain

virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_transport = lmtp:unix:private/dovecot-lmtp

smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 6

And in /etc/postfix/virtual :
contact@example.com             username

And in /etc/dovecot/local.conf :
protocols = imap lmtp sieve
disable_plaintext_auth = yes
auth_mechanisms = plain login
mail_location = maildir:/var/mail/%u
auth_username_format = %Ln
service auth {
  # Postfix private auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
  # Auth process is run as this user.
  #user = $default_internal_user
}
service lmtp {
  # Dovecot private lmtp
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0660
    user = postfix
    group = postfix
  }
}

Perms on /var/spool/mail :
u=rwX,g=srvX,o=rx + root:mail

Perms on /var/spool/mail/username :
u=rwX,g=S,o= + username:mail

DNS records example.com :
example.com.	0	SPF	"v=spf1 a mx a:server.example.com a:office.example.com a:home.example.com ~all"
_dmarc.example.com.	0	TXT	"v=DMARC1;p=quarantine;pct=100;adkim=s;aspf=s"
d._domainkey.example.com.	0	DKIM	v=DKIM1;k=rsa;p=QkFTRTY1U0lHTkFUVVJFSEVSRQo=;

Opendkim config in /etc/opendkim.conf :
PidFile /run/opendkim/opendkim.pid
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  local:/var/spool/postfix/run/opendkim/opendkim.sock
Umask   002
SendReports     yes
SoftwareHeader  no
Canonicalization        relaxed/relaxed
Selector        default
MinimumKeyBits  1024
KeyFile /etc/opendkim/keys/default.private
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
OversignHeaders From

Config in /etc/opendkim/SigningTable :
*@example.com d._domainkey.example.com

Config in /etc/opendkim/KeyTable :
d._domainkey.example.com example.com:d:/etc/opendkim/keys/example.com/d.private

Generate key with :
# /usr/sbin/opendkim-genkey --bits=4096 --directory=/etc/opendkim/keys/example.com --domain=example.com --selector=d

Watch out with key size, I remember having trouble to set it up in my domain provider with huge sizes...

Key is fake, i just base64 encoded BASE65SIGNATUREHERE :)

If you see a security issue, tell me :p

Brest regards
Comment 14 Thomas Andrews 2021-10-04 20:12:00 CEST 
Quite a bit out of my league, but I'm giving this an OK based on Comment 11 and Comment 12. Validating.

Please feel free to slap my hands if that is in error.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2021-10-06 19:30:00 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 15 Mageia Robot 2021-10-06 21:43:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0462.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.