An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
Release 6.6.3p1 (2020-02-10)
Following the 6.6.2p1 release, various improvements were done in OpenBSD -current to mitigate the risk of similar bugs.
Seems to still work in peer2peer mode (raw IPv6 addresses instead of domains). I didn't run the exploit, as I only send to trusted peers. But if I get to it, I'll add another comment.
This update has been submitted for testing by dfateyev.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
fweimer edited this update.
CVE-2020-8794 for this important security patch
Seems to still work in peer2peer mode (raw IPv6 addresses instead of domains). I didn't run the exploit, as I only send to trusted peers. But if I get to it, I'll add another comment.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by bodhi.
This update has been pushed to stable.