Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenDMARC 1.4.1 segfault several times on two VMs, CentOS 7/8 #179

Closed
cseres3 opened this issue Jun 8, 2021 · 33 comments
Closed

OpenDMARC 1.4.1 segfault several times on two VMs, CentOS 7/8 #179

cseres3 opened this issue Jun 8, 2021 · 33 comments
Assignees

Comments

@cseres3
Copy link

cseres3 commented Jun 8, 2021

Hi,
yesterday and today OpenDMARC has crashed for segfault half a dozen times on two virtual machines, one of them CentOS7, another CentOS8, both up-to-date and have OpenDKIM version 1.4.1. Before yesterday OpenDMARC and libopendmarc version 1.3.2 was installed and they worked fine.

Last dmesg info was
[Tue Jun 8 11:19:32 2021] opendmarc[11107]: segfault at 0 ip 00007fa89690c327 sp 00007fa88ffdb1a8 error 4 in libc-2.17.so[7fa8967c5000+1c4000]

Red Hat Abrtd service was running, there is coredump and other files saved by it. Is there some additional information you would need to investigate the issue?

The package version is opendmarc-1.4.1-1.el7.x86_64 on CentOS7 and opendmarc-1.4.1-1.el8.x86_64 on CentOS8.

@glts
Copy link
Contributor

glts commented Jun 8, 2021

Please provide the backtrace from the coredump.

@cseres3
Copy link
Author

cseres3 commented Jun 8, 2021

backtrace.txt
Backtrace created with abrt-action-generate-backtrace attached. One name is replaced with xx's.

@glts
Copy link
Contributor

glts commented Jun 8, 2021

I have difficulties deciphering this, but if I had to go out on a limb this looks like a NULL dereference here: https://github.com/trusteddomainproject/OpenDMARC/blob/rel-opendmarc-1-4-1/opendmarc/opendmarc.c#L2480

This is the fix for CVE-2019-16378. If OpenDMARC can now be crashed with a multi-value From input then that fix just opened a new hole (DoS). Would be good to have a repro. Then someone file a new CVE if necessary ...

@sriccio
Copy link

sriccio commented Jun 9, 2021

Hello,

We're seeing the same issue here on E.F.A v4.

opendmarc packages were updated and it started to segfault daily at random times

[root@mx1 ~]# yum history info 136
Loaded plugins: fastestmirror
Transaction ID : 136
Begin time     : Mon Jun  7 08:43:36 2021
Begin rpmdb    : 750:3e7c4467092ba328515d976ae9be6ab76f463611
End time       :            08:43:38 2021 (2 seconds)
End rpmdb      : 750:edee20cdba2ea3ea406f889beea1a52f367411ac
User           : root <root>
Return-Code    : Success
Transaction performed with:
    Installed     rpm-4.11.3-45.el7.x86_64                        @base
    Installed     yum-3.4.3-168.el7.centos.noarch                 @base
    Installed     yum-metadata-parser-1.1.4-10.el7.x86_64         @anaconda
    Installed     yum-plugin-fastestmirror-1.1.31-54.el7_8.noarch @updates
Packages Altered:
    Updated libopendmarc-1.3.2-1.el7.x86_64 @epel
    Update               1.4.1-1.el7.x86_64 @epel
    Updated opendmarc-1.3.2-1.el7.x86_64    @epel
    Update            1.4.1-1.el7.x86_64    @epel
[92878.213379] opendmarc[16670]: segfault at 0 ip 00007f501d31b2a1 sp 00007f4fd97d61a8 error 4 in libc-2.17.so[7f501d1d4000+1c4000]

I've considered a rollback to 1.3.2-1.el7.x86_64 but the files seems gone from EPEL directories...

@glts
Copy link
Contributor

glts commented Jun 9, 2021

I could reproduce the problem and have pushed another commit at #178. Please apply and try patch https://patch-diff.githubusercontent.com/raw/trusteddomainproject/OpenDMARC/pull/178.patch.

Please someone file a CVE, I don't have the energy right now. OpenDMARC 1.4.1.1 is a sitting duck and can be shot down by anyone at any time.

@cseres3
Copy link
Author

cseres3 commented Jun 10, 2021

I have now filed a CVE.

@carnil
Copy link

carnil commented Jun 10, 2021

CVE-2021-34555 was assigned for this issue.

@glts
Copy link
Contributor

glts commented Jun 14, 2021

It would be very helpful if those who saw crashing on their systems could try the patch and tell us if the problem is gone after or if there are other issues.

@cseres3
Copy link
Author

cseres3 commented Jun 14, 2021

I can test it if you can send a ready-made RPM for CentOS8 or give step-by-step instructions for compiling it.

@glts
Copy link
Contributor

glts commented Jun 14, 2021

I wouldn't know how to do that. Any other takers -- let us know if the patch helps.

@Swallowtail23
Copy link

It's an easy compile and install on Centos 8. @glts Has it been merged into 'develop' stream yet?

Standard OpenDMARC on CentOS is EPEL package, and the 'develop' version can be compiled and run alongside it as it installs to /usr/local.

On my mail server (RHEL 8) I have both installed, and can switch between them. To do so, do this from a working directory somewhere:

git clone https://github.com/trusteddomainproject/OpenDMARC
cd OpenDMARC
git checkout develop
autoreconf -v -i
./configure --with-spf --with-spf2-include=/usr/include/spf2/ --with-spf2-lib=/usr/lib64/
make
make install

Copy /etc/opendmarc.conf to /etc/opendmarc-new.conf, and create a new systemd file at /usr/lib/systemd/system/opendmarc-new.service, with updates to PIDFile, EnvironmentFile and ExecStart:

PIDFile=/var/run/opendmarc/opendmarc-new.pid
EnvironmentFile=-/etc/sysconfig/opendmarc-new
ExecStart=/usr/local/sbin/opendmarc $OPTIONS

Create the environment file and edit to match.

In the config file at /etc/opendmarc-new.conf, use a different port for socket - I use
Socket inet:8894@localhost

...then make sure Postfix or whatever MTA you use is configured accordingly. E.g. in Postfix I have:

### Milter ports ###
# 8890 = spf-milter     (glts, new testing - https://gitlab.com/glts/spf-milter)
# 8891 = OpenDKIM
# 8892 = OpenARC        (beta)
# 8893 = OpenDMARC      EPEL stable (currently 1.4.1)
# 8894 = OpenDMARC-new  (1.4.1 develop from git)

# spf-milter, DKIM, ARC, DMARC (1.4.1 git):
smtpd_milters           = inet:127.0.0.1:8890,
                                     inet:127.0.0.1:8891,
                                     inet:127.0.0.1:8892,
                                     inet:127.0.0.1:8894

Enable the new service
systemctl enable --now opendmarc-new

... and check.

@Swallowtail23
Copy link

...noting that you will of course need the usual packages installed as required for compiling... and the sendmail-milter-devel package I believe is needed.

@glts
Copy link
Contributor

glts commented Jun 15, 2021

Thanks @Swallowtail23. No, it’s not in develop yet.

You can either use my fork instead:

git clone https://github.com/glts/OpenDMARC
cd OpenDMARC
git checkout fix-multi-value-from

Or apply the patch from the pull request, https://github.com/trusteddomainproject/OpenDMARC/pull/178.patch:

git clone https://github.com/trusteddomainproject/OpenDMARC
cd OpenDMARC
git checkout develop
patch -p1 < /path/to/178.patch

@Swallowtail23
Copy link

./configure --with-spf --with-spf2-include=/usr/include/spf2/ --with-spf2-lib=/usr/lib64/

Please do note also that configure line I used is to use libspf2 not OpenDMARC's internal SPF code, alter as you need.

@sriccio
Copy link

sriccio commented Jun 15, 2021

Hello @glts

Thank you for the patch.

I've rebuilt the RPM (from the EPEL source RPM) adding the 178 patch + using tag rel-opendmarc-1-4-1-1 tar.gz
We were having 20-30 segfaults per day (I've used monit to monitor the process and restart it when it dies).
I'll report if the segfaults are still occuring with the patch.

Kind regards.

@sriccio
Copy link

sriccio commented Jun 15, 2021

@glts

No new segfaults since I'm using the patched version. Seems good. Thanks!

@glts
Copy link
Contributor

glts commented Jun 16, 2021

@sriccio Good to hear, thanks for testing

@shawniverson
Copy link

@sriccio do you have the SPEC file you would be willing to share for your rebuilt RPM? Just want to save a little time and get this out the door for others.

@sriccio
Copy link

sriccio commented Jun 17, 2021

@shawniverson

Here is attached the SRPM of the package I've rebuilt.

opendmarc-1.4.1.1-1.el7.src.zip

I hope it will be of help.

@shawniverson
Copy link

@sriccio thank you. I have packages build and in the repos for https://github.com/E-F-A/v4

@apircalabu
Copy link

Thanks for the fix and the SRPM. Be great if the binary version was updated too, it's still returning 1.4.1:
Jul 12 12:24:04 filter2 opendmarc[19086]: OpenDMARC Filter v1.4.1 starting (args: -c /etc/opendmarc.conf -P /run/opendmarc/opendmarc.pid)
strings /usr/sbin/opendmarc | egrep "1.4.."
1.4.1

@quantumchaos451
Copy link

Given that there is a CVE against this issue, is there any particular reason it hasn't been merged into master yet?

@Steve-Siirila
Copy link

We were hit with this issue today as part of routine patching. We had to back out to previous version.

Does anyone have a concrete example I can use to trigger this problem? Simply specifying something like follows only causes a log message "multi-valued From field detected" but no crash:

From: UserA usera@domaina.com, UserB userb@domainb.com

I also tried leaving the domain part of of both to no avail, and actually got this error instead:

RFC 5322 requirement error: missing From field; accepting

@glts
Copy link
Contributor

glts commented Jul 26, 2021

@Steve-Siirila When From: contains multiple recipients, an address with no domain part triggers the segfault. Use the patch further above.

@Steve-Siirila
Copy link

Thank you @glts -- I was able to duplicate with 1.4.1. I was literally leaving off just the domain parts, as in:

From: UserA usera@, UserB userb@

Once I removed the "@" characters it crashed as expected. Now we have a verification method after we upgrade to the latest version.

@Swallowtail23
Copy link

Swallowtail23 commented Jul 27, 2021

EPEL repository have just pushed 1.4.1.1 for EL8
(EDIT)... but looking back through what is in it, I don't think it actually addresses this?

@mricon
Copy link

mricon commented Jul 28, 2021

1.4.1.1 in EPEL contains the CVE fix:

* Sun Jul 11 2021 Kevin Fenzi <kevin@scrye.com> - 1.4.1.1-2
- Add patch for CVE-2021-34555. Fixes rhbz#1974707

mskucherawy pushed a commit that referenced this issue Dec 20, 2021
@thegushi
Copy link
Collaborator

thegushi commented Sep 8, 2022

1.4.2 fixes this and has been released.

@thegushi thegushi closed this as completed Sep 8, 2022
@thegushi thegushi self-assigned this Sep 8, 2022
@tofuSCHNITZEL
Copy link

tofuSCHNITZEL commented Dec 24, 2022

how to get version 1.4.2 on Centos 8 stream or Rocky Linux 8?
or @shawniverson how do I get it patched with an existing eFa4? do I need to run the eFa setup again?

@shawniverson
Copy link

@tofuSCHNITZEL you should get the latest just by a dnf update if it is available on one of the repos.

@tofuSCHNITZEL
Copy link

tofuSCHNITZEL commented Dec 24, 2022

hm but with dnf I only get 1.4.1.1 and I'm not sure if it is patched or not:

Name         : opendmarc
Version      : 1.4.1.1
Release      : 3.el8
Architecture : x86_64
Size         : 256 k
Source       : opendmarc-1.4.1.1-3.el8.src.rpm
Repository   : @System
From repo    : epel

@shawniverson
Copy link

It should already have the patch, it was included in 1.4.1.1-2.

@tofuSCHNITZEL
Copy link

Ah, I see. Well then my opendmarc is segfaulting for a different reason...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests