Patch: https://src.fedoraproject.org/rpms/opendmarc/blob/a082eefc364a3602afa5e1dad999897e6b438a18/f/cve-2024-25768.patch

CVE: (none) => CVE-2024-25768
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => opendmarc-1.4.2-2.mga9.src.rpm
Status comment: (none) => Patch available from Fedora

Normally Raphael dealt with this SRPM. Unsure whether he is still with us, CC'ing him but assigning the bug globally.

CC: (none) => mageia
Assignee: bugsquad => pkg-bugs

Still with you, but away from computer and keyboard until tomorrow evening.
If it's an emergency, or disappear in my travel, feel free to deal with it in my stead ;)

# urpmi opendmarc
[...]
(média « Core Release »)
  lib64opendmarc2                1.4.2        2.mga9        x86_64
  opendmarc                      1.4.2        2.mga9        x86_64
[...]
  1/2: lib64opendmarc2
  2/2: opendmarc
[...]

# urpmi ./RPMS/x86_64/opendmarc-1.4.2-2.1.mga9.x86_64.rpm ./RPMS/x86_64/lib64opendmarc2-
lib64opendmarc2-1.4.2-2.1.mga9.x86_64.rpm            lib64opendmarc2-debuginfo-1.4.2-2.1.mga9.x86_64.rpm  
# urpmi ./RPMS/x86_64/opendmarc-1.4.2-2.1.mga9.x86_64.rpm ./RPMS/x86_64/lib64opendmarc2-1.4.2-2.1.mga9.x86_64.rpm
[...]
  1/2: lib64opendmarc2
  2/2: opendmarc
  1/2: désinstallation de opendmarc-1.4.2-2.mga9.x86_64
  2/2: désinstallation de lib64opendmarc2-1.4.2-2.mga9.x86_64
[...]

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Fix null pointer dereference in opendmarc_policy.c. (CVE-2024-25768)

References:
https://github.com/trusteddomainproject/OpenDMARC/issues/256
========================

Updated packages in core/updates_testing:
========================
lib(64)opendmarc2-1.4.2-2.1.mga9.x86_64.rpm
lib(64)opendmarc2-debuginfo-1.4.2-2.1.mga9.x86_64.rpm
lib(64)opendmarc-devel-1.4.2-2.1.mga9.x86_64.rpm
opendmarc-1.4.2-2.1.mga9.x86_64.rpm

from SRPM:
opendmarc-1.4.2-2.1.mga9.src.rpm

Test procedure:
https://bugs.mageia.org/show_bug.cgi?id=29035#c13

$ host -t TXT _dmarc.rapsys.eu
_dmarc.rapsys.eu descriptive text "v=DMARC1;p=quarantine;pct=100;adkim=s;aspf=s"

$ opendmarc-check rapsys.eu
DMARC record for rapsys.eu:
        Sample percentage: 100
        DKIM alignment: strict
        SPF alignment: strict
        Domain policy: quarantine
        Subdomain policy: unspecified
        Aggregate report URIs:
                (none)
        Failure report URIs:
                (none)

(In reply to Nicolas Salguero from comment #0)
> Fedora has issued an advisory on November 11:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/message/6E6MIXRBDDQ2GSMOCZ2PQPHNGN4RP2DS/
> 
> Patch: https://src.fedoraproject.org/rpms/opendmarc/blob/a082eefc364a3602afa5e1dad999897e6b438a18/f/cve-2024-25768.patch

Thanks for the complete bug report with patch and references.

Previous round was validated just with feedback of packager, Thomas you have the last word about

CC: (none) => andrewsfarm

(In reply to katnatek from comment #9)
> Previous round was validated just with feedback of packager, Thomas you have
> the last word about

Test the checker cli is easy, test the daemon requires a mail server setup:
- domain name
- dns entries
- port 25 open

Configuration sample available here:
https://bugs.mageia.org/show_bug.cgi?id=29035#c13

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Maybe marja may help with the test while checking why I get these messages in my opendmarc logs.

# journalctl -u opendmarc
nov. 01 10:13:13 aurae.aoihime.eu opendmarc[1242833]: 60DA5FDADBD: ignoring invalid ARC-Authentication-Results header "i=1;
                                                              smtp.freedom.nl;
                                                              auth=pass smtp.mailfrom=marja11@freedom.nl"

CC: (none) => marja11

Removing the OK and validation because of comment 13.

I am very much out of my depth when it comes to this one, so about all I can do is trust when told it is OK. If someone more knowledgeable in this area wants to validate once the issue of comment 13 is investigated, it's all right with me.

Whiteboard: MGA9-64-OK => (none)
Keywords: validated_update => (none)

(In reply to Raphael Gertz from comment #13)
> Maybe marja may help with the test while checking why I get these messages
> in my opendmarc logs
> 
> # journalctl -u opendmarc
> nov. 01 10:13:13 aurae.aoihime.eu opendmarc[1242833]: 60DA5FDADBD: ignoring
> invalid ARC-Authentication-Results header "i=1;
>                                                              
> smtp.freedom.nl;
>                                                               auth=pass
> smtp.mailfrom=marja11@freedom.nl"

I can't help with the test, I've never setup a mail server and lack the time to learn how to do that. 
However, I see that that message is from November 1st, twelve days before opendmarc-1.4.2-2.1.mga9 was submitted.

I did install opendmarc though (in cauldron), to run the check on my ISP

$ opendmarc-check freedom.nl
DMARC record for freedom.nl:
	Sample percentage: 100
	DKIM alignment: relaxed
	SPF alignment: relaxed
	Domain policy: quarantine
	Subdomain policy: unspecified
	Aggregate report URIs:
		(none)
	Failure report URIs:
		(none)

Hello there,

The difficulty for server part is to find a real mail server running on a Mageia System.

We have one... for the mother domain mageia.org/

I have already set up DKIM for mageia.org... but i'm still struggling with Puppet to deploy a minimalistic authenticating SMTP server before enforcing Sender Policy (SFP) which is required to properly setup DMARC (= Policy publication + Reporting for DKIM+SPF).

I'm progressing slowly step by step because i don't want to break something critical.

Once i have that up and running we can test and validate DMARC on our own infrastructure...

If somebody else has a Mageia Mail Server somewhere and can check faster than what i propose : welcome \o/

Maât

CC: (none) => maat-ml

By the way, a side-topic feedback :

> $ sudo urpmi opendmarc
> Pour satisfaire les dépendances, les paquetages suivants vont être installés :
>   Paquetage                      Version      Révision      Arch    
> (média « Core Release »)
>   lib64opendmarc2                1.4.2        2.mga9        x86_64  
>   opendmarc                      1.4.2        2.mga9        x86_64  
> (média « Core Updates »)
>   lib64milter1.0                 8.17.1       4.1.mga9      x86_64  
> un espace additionnel de 533Ko sera utilisé.
> 225Ko de paquets seront récupérés.
> Procéder à l'installation des 3 paquetages ? (O/n) o
> 
> 
>     $MIRRORLIST: media/core/release/lib64opendmarc2-1.4.2-2.mga9.x86_64.rpm
>     $MIRRORLIST: media/core/release/opendmarc-1.4.2-2.mga9.x86_64.rpm                                                                                                                      
>     $MIRRORLIST: media/core/updates/lib64milter1.0-8.17.1-4.1.mga9.x86_64.rpm                                                                                                              
> installation de opendmarc-1.4.2-2.mga9.x86_64.rpm lib64milter1.0-8.17.1-4.1.mga9.x86_64.rpm lib64opendmarc2-1.4.2-2.mga9.x86_64.rpm depuis /var/cache/urpmi/rpms                           
> Préparation...                   #########################################################################################################################################################
>       1/3: lib64opendmarc2       > #########################################################################################################################################################
>       2/3: lib64milter1.0        #########################################################################################################################################################
>       3/3: opendmarc             #########################################################################################################################################################
> /usr/lib/tmpfiles.d/opendmarc.conf:3: Failed to resolve group 'postfix'.
> attention : %post(opendmarc-1.4.2-2.mga9.x86_64) scriptlet échoué, état de sortie 65
> ERROR: 'script' failed for opendmarc-1.4.2-2.mga9.x86_64
> /usr/lib/tmpfiles.d/kubernetes.conf:1: Line references path below legacy directory /var/run/, updating /var/run/kubernetes → /run/kubernetes; please update the tmpfiles.d/ drop-in file accordingly.
> /usr/lib/tmpfiles.d/opendmarc.conf:3: Failed to resolve group 'postfix'.
> ----------------------------------------------------------------------
> Plus d'information sur le paquetage opendmarc-1.4.2-2.mga9.x86_64
> 
> OpenDMARC is now installed.
> 
> Choose socket type in /etc/opendmarc.conf:
> # Socket inet:8893@localhost
> Socket local:/var/spool/postfix/run/opendmarc/opendmarc.sock
> 
> Configure message filter in /etc/postfix/main.cf:
> # smtpd_milters = inet:localhost:8893
> smtpd_milters = unix:/run/opendmarc/opendmarc.sock
> non_smtpd_milters = $smtpd_milters
> milter_default_action = accept
> milter_protocol = 6
> 
> Enable the service with:
> # systemctl enable opendmarc.service
> 
> Start the service with:
> # systemctl restart opendmarc.service

There are other mail servers than Postfix : Exim, Qmail, Sendmail, James...
I think it might be better not to assume that postfix will be there... and  use conditions to detect if postfix is there.

My 2 cents.

I am running a mail server on Mageia 9 and postfix. just installed opendmarc-1.4.2-2.1.mga9.x86_64.rpm. I'll watch it for a couple of days. It seems to work ok though. I shall report any issues should they appear.

CC: (none) => mageia

(In reply to Maat from comment #18)
> By the way, a side-topic feedback :
> 
> There are other mail servers than Postfix : Exim, Qmail, Sendmail, James...
> I think it might be better not to assume that postfix will be there... and 
> use conditions to detect if postfix is there.
> 
> My 2 cents.

I understand your concern, only sendmail seems packaged in mageia, may you please provide the configuration alternative for sendmail so I may improve this package.

May you check that on your configuration your mail server is part of mail group ?

Would it be security unwise to change opendmarc default socket /var/spool/postfix/run/opendmarc/opendmarc.sock group from postfix to mail ?

This change would be needed for opendkim package as well.

@Raphael Gertz, could you find why is failing to you?, other test in this bug not reported issues

(In reply to katnatek from comment #21)
> @Raphael Gertz, could you find why is failing to you?, other test in this
> bug not reported issues

For me it should have been an invalid ARC-Authentication-Results record in marja's mail wrongly encoded by his smtp.freedom.nl.

For me it, it should be ok, the problem is likely comming from a misconfiguration on his side.

$ host -t TXT default._dkim.freedom.nl
default._dkim.freedom.nl descriptive text "v=spf1 redirect=soverin.net"

$ host -t TXT soverin.net
soverin.net descriptive text "MS=C2CDA1AC23034E144579814F64E1D7B9BF33A415"
soverin.net descriptive text "abuseipdb-verification=CuBHOjMv"
soverin.net descriptive text "google-site-verification=Zd-A3-9sI-ZIQmOLH9_Q--Mh5BclBPnbtQ_SBq9SKN8"
soverin.net descriptive text "v=spf1 ip4:185.233.34.0/24 ip6:2a10:de80::/32 -all"

$ host -t TXT _dmarc.freedom.nl
_dmarc.freedom.nl descriptive text "v=DMARC1; p=quarantine;"

$ cat 1731790044.M916236P3796833.aurae.aoihime.eu\,S\=5933\,W\=6050\:2\,S 
Return-Path: <sysadmin-discuss-owner@ml.mageia.org>
Delivered-To: rapsys@aurae.aoihime.eu
Received: from aurae.aoihime.eu
        by aurae.aoihime.eu with LMTP
        id c/pXNtwEOWdh7zkA44UTBg
        (envelope-from <sysadmin-discuss-owner@ml.mageia.org>)
        for <rapsys@aurae.aoihime.eu>; Sat, 16 Nov 2024 21:47:24 +0100
Received: from sucuk.mageia.org (sucuk.mageia.org [IPv6:2a02:2178:2:7::7])
        by aurae.aoihime.eu (Postfix) with ESMTPS id 94C51100B267
        for <mageia@rapsys.eu>; Sat, 16 Nov 2024 21:47:24 +0100 (CET)
Authentication-Results: aurae.aoihime.eu; dmarc=none (p=none dis=none) header.from=ml.mageia.org
Authentication-Results: aurae.aoihime.eu;
        dkim=pass (1024-bit key; unprotected) header.d=ml.mageia.org header.i=@ml.mageia.org header.a=rsa-sha256 header.s=sucuk header.b=LJHV8sLL
Received: by sucuk.mageia.org (Postfix, from userid 482)
        id 16097801B4; Sat, 16 Nov 2024 21:47:23 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ml.mageia.org;
        s=sucuk; t=1731790043;
        bh=8UWjaNtGRPdXBMjyZyK8/R6mxZJ0Pnmw/rNij7fCliE=;
        h=Date:To:From:Subject:Reply-To:List-Id:List-Help:List-Subscribe:
         List-Unsubscribe:List-Post:List-Owner:List-Archive;
        b=LJHV8sLLwUtHodPIh4q+gQxjLG/weCKMTsBQhp7jKZaF58X+981baRH1TtASvhI+u
         lfVzaEIUarGlEAj/8UZNhIooeY3hJG37ak/dNsxq5gzUWL7ZbPwimIaPFDuEyZddsp
         gtQqCgMlGkTzhDj2wgnwIwK3Ycjigb0DWxXiDfRg=
Received: from localhost (sucuk.mageia.org [127.0.0.1])
        by sucuk.mageia.org (Postfix) with ESMTP id 663E380150
        for <sysadmin-discuss@ml.mageia.org>; Sat, 16 Nov 2024 21:47:17 +0100 (CET)
Authentication-Results: ml.mageia.org (Sympa);
    arc=pass (ams.1.freedom.nl=pass, as.1.freedom.nl=pass)
X-Virus-Scanned: amavisd-new at mageia.org
Authentication-Results: sucuk.mageia.org (amavisd-new);
        dkim=pass (1024-bit key) header.d=freedom.nl header.b=irUD6th3;
        dkim=pass (2048-bit key) header.d=freedom.nl header.b=ZF7fr9Dw
Received: from sucuk.mageia.org ([127.0.0.1])
        by localhost (sucuk.mageia.org [127.0.0.1]) (amavisd-new, port 10025)
        with ESMTP id tH5gZyclCj3d for <sysadmin-discuss@ml.mageia.org>;
        Sat, 16 Nov 2024 21:47:15 +0100 (CET)
Received: from outbound.soverin.net (outbound.soverin.net [185.233.34.18])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by sucuk.mageia.org (Postfix) with ESMTPS id 12EE680145
        for <sysadmin-discuss@ml.mageia.org>; Sat, 16 Nov 2024 21:47:14 +0100 (CET)
Received: from smtp.freedom.nl (c04cst-smtp-frd02.int.sover.in [10.10.4.108])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        by outbound.soverin.net (Postfix) with ESMTPS id 4XrQtV3Czcz7X;
        Sat, 16 Nov 2024 20:47:14 +0000 (UTC)
Received: from smtp.freedom.nl (smtp.freedom.nl [10.10.4.108]) by freedom.nl (Postfix) with ESMTPSA id 4XrQtV18Gbz2xVD;
        Sat, 16 Nov 2024 20:47:14 +0000 (UTC)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freedom.nl;
        s=default; t=1731790034;
        h=from:from:sender:reply-to:subject:subject:date:date:
         message-id:message-id:to:to:cc:mime-version:mime-version:
         content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:in-reply-to:
         references; bh=C4wY3VuTz9+9LUPEKDn2TTutTNleWcettbPuga+Z9Nw=;
        b=MSspd+I6JD6F1xtX+i/OPGp9oSo8ndLDOBfdX6W6vbd/xZPBhYXbnHLOVgpl6K9b+qgGBD
        0t1R2pmj8eQGryWpNkKYclLxXz18PtqlooWcZM2NvFhONlkY4q6NdALTj35bgupxU/FfFj
        gew7LERvT3cGT9n/n1FQCp4gceffx9U=
ARC-Authentication-Results: i=1;
        smtp.freedom.nl;
        auth=pass smtp.mailfrom=marja11@freedom.nl
ARC-Seal: i=1; s=default; d=freedom.nl; t=1731790034; a=rsa-sha256;
        cv=none;
        b=n9cx20X1keGdas1+WC5YCxJZBSWdmN781ZJB81UYRauPpnNP7azib2lZDLNECAVAp/REhM
        0JY6drMKplhuGyPtFNNmWl9cjn1aF7npOmgY0Jl9VQahCNZqXyq4lEfxFxzZfZD80Oa2G6
        KfiHyiL8L9B93yCOwiDc7SQC5Ah/pYc=
Message-ID: <c5fe072f-68d3-4d94-8c0f-31ad4ddcc9b7@freedom.nl>
Date: Sat, 16 Nov 2024 21:47:01 +0100
MIME-Version: 1.0
Content-Language: nl
To: Sys Admin <sysadmin-discuss@ml.mageia.org>
From: "Marja van Waes" (via sysadmin-discuss Mailing List) <sysadmin-discuss@ml.mageia.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spampanel-Class: ham
Subject: [sysadmin-discuss] Migrate to MirrorManager2
Reply-To: sysadmin-discuss@ml.mageia.org
X-Loop: sysadmin-discuss@ml.mageia.org
X-Sequence: 2868
Errors-To: sysadmin-discuss-owner@ml.mageia.org
Precedence: list
Precedence: bulk
Sender: sysadmin-discuss-request@ml.mageia.org
X-no-archive: yes
List-Id: <sysadmin-discuss.ml.mageia.org>
List-Help: <https://ml.mageia.org/l/help>, <mailto:sympa@ml.mageia.org?subject=HELP>
List-Subscribe: <https://ml.mageia.org/l/subscribe/sysadmin-discuss>, <mailto:sympa@ml.mageia.org?subject=SUB%20sysadmin-discuss>
List-Unsubscribe: <https://ml.mageia.org/l/signoff/sysadmin-discuss>, <mailto:sympa@ml.mageia.org?subject=SIG%20sysadmin-discuss>
List-Post: <mailto:sysadmin-discuss@ml.mageia.org>
List-Owner: <mailto:sysadmin-discuss-request@ml.mageia.org>
List-Archive: <https://ml.mageia.org/l/arc/sysadmin-discuss>
Archived-At: <https://ml.mageia.org/l/msg/sysadmin-discuss/2024-11/14aKl1wBoEs_QZg9O2CBhA>
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freedom.nl; s=default;
        t=1731790034; bh=8UWjaNtGRPdXBMjyZyK8/R6mxZJ0Pnmw/rNij7fCliE=;
        h=Date:To:From:Subject:From;
        b=irUD6th3NUJFT5+cwlvgg7GDDm53An7COe3KqS04QXp1KMY1x/xz9mv5qmdup88c7
         p2CyAT6R/9287FMOACASmR4euwJ2Wq0phZ+pm+XUNgyAArtCMyQeBO+N4VALKJJI+f
         VLYCOoY1fOyGrGS2I8Jz+m3KQU6+ie5WQqAIxHlg=
X-Original-From: Marja van Waes <marja11@freedom.nl>

Hi all,

We keep having issues with bad mirror selection and you're a great team 
of active sysadmins. MirrorBrain is dead upstream, so here is:

https://wiki.mageia.org/en/Feature:Migrate_to_MirrorManager2

It still needs an owner (Neal doesn't have time). Does one of you feel 
called to take ownership?

-- 
Vriendelijke groet,
Kind regards,

Marja

Best regards

Validating.

Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0370.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED