New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenDMARC 1.4.1 segfault several times on two VMs, CentOS 7/8 #179
Comments
|
Please provide the backtrace from the coredump. |
|
backtrace.txt |
|
I have difficulties deciphering this, but if I had to go out on a limb this looks like a NULL dereference here: https://github.com/trusteddomainproject/OpenDMARC/blob/rel-opendmarc-1-4-1/opendmarc/opendmarc.c#L2480 This is the fix for CVE-2019-16378. If OpenDMARC can now be crashed with a multi-value |
|
Hello, We're seeing the same issue here on E.F.A v4. opendmarc packages were updated and it started to segfault daily at random times I've considered a rollback to 1.3.2-1.el7.x86_64 but the files seems gone from EPEL directories... |
|
I could reproduce the problem and have pushed another commit at #178. Please apply and try patch https://patch-diff.githubusercontent.com/raw/trusteddomainproject/OpenDMARC/pull/178.patch. Please someone file a CVE, I don't have the energy right now. OpenDMARC 1.4.1.1 is a sitting duck and can be shot down by anyone at any time. |
|
I have now filed a CVE. |
|
CVE-2021-34555 was assigned for this issue. |
|
It would be very helpful if those who saw crashing on their systems could try the patch and tell us if the problem is gone after or if there are other issues. |
|
I can test it if you can send a ready-made RPM for CentOS8 or give step-by-step instructions for compiling it. |
|
I wouldn't know how to do that. Any other takers -- let us know if the patch helps. |
|
It's an easy compile and install on Centos 8. @glts Has it been merged into 'develop' stream yet? Standard OpenDMARC on CentOS is EPEL package, and the 'develop' version can be compiled and run alongside it as it installs to /usr/local. On my mail server (RHEL 8) I have both installed, and can switch between them. To do so, do this from a working directory somewhere: Copy /etc/opendmarc.conf to /etc/opendmarc-new.conf, and create a new systemd file at /usr/lib/systemd/system/opendmarc-new.service, with updates to PIDFile, EnvironmentFile and ExecStart: Create the environment file and edit to match. In the config file at /etc/opendmarc-new.conf, use a different port for socket - I use ...then make sure Postfix or whatever MTA you use is configured accordingly. E.g. in Postfix I have: Enable the new service ... and check. |
|
...noting that you will of course need the usual packages installed as required for compiling... and the sendmail-milter-devel package I believe is needed. |
|
Thanks @Swallowtail23. No, it’s not in develop yet. You can either use my fork instead: Or apply the patch from the pull request, https://github.com/trusteddomainproject/OpenDMARC/pull/178.patch: |
Please do note also that configure line I used is to use libspf2 not OpenDMARC's internal SPF code, alter as you need. |
|
Hello @glts Thank you for the patch. I've rebuilt the RPM (from the EPEL source RPM) adding the 178 patch + using tag rel-opendmarc-1-4-1-1 tar.gz Kind regards. |
|
No new segfaults since I'm using the patched version. Seems good. Thanks! |
|
@sriccio Good to hear, thanks for testing |
|
@sriccio do you have the SPEC file you would be willing to share for your rebuilt RPM? Just want to save a little time and get this out the door for others. |
|
Here is attached the SRPM of the package I've rebuilt. opendmarc-1.4.1.1-1.el7.src.zip I hope it will be of help. |
|
@sriccio thank you. I have packages build and in the repos for https://github.com/E-F-A/v4 |
|
Thanks for the fix and the SRPM. Be great if the binary version was updated too, it's still returning 1.4.1: |
|
Given that there is a CVE against this issue, is there any particular reason it hasn't been merged into master yet? |
|
We were hit with this issue today as part of routine patching. We had to back out to previous version. Does anyone have a concrete example I can use to trigger this problem? Simply specifying something like follows only causes a log message "multi-valued From field detected" but no crash: From: UserA usera@domaina.com, UserB userb@domainb.com I also tried leaving the domain part of of both to no avail, and actually got this error instead: RFC 5322 requirement error: missing From field; accepting |
|
@Steve-Siirila When From: contains multiple recipients, an address with no domain part triggers the segfault. Use the patch further above. |
|
Thank you @glts -- I was able to duplicate with 1.4.1. I was literally leaving off just the domain parts, as in: From: UserA usera@, UserB userb@ Once I removed the "@" characters it crashed as expected. Now we have a verification method after we upgrade to the latest version. |
|
EPEL repository have just pushed 1.4.1.1 for EL8 |
|
1.4.1.1 in EPEL contains the CVE fix: |
|
1.4.2 fixes this and has been released. |
|
how to get version 1.4.2 on Centos 8 stream or Rocky Linux 8? |
|
@tofuSCHNITZEL you should get the latest just by a dnf update if it is available on one of the repos. |
|
hm but with dnf I only get 1.4.1.1 and I'm not sure if it is patched or not: |
|
It should already have the patch, it was included in 1.4.1.1-2. |
|
Ah, I see. Well then my opendmarc is segfaulting for a different reason... |
Hi,
yesterday and today OpenDMARC has crashed for segfault half a dozen times on two virtual machines, one of them CentOS7, another CentOS8, both up-to-date and have OpenDKIM version 1.4.1. Before yesterday OpenDMARC and libopendmarc version 1.3.2 was installed and they worked fine.
Last dmesg info was
[Tue Jun 8 11:19:32 2021] opendmarc[11107]: segfault at 0 ip 00007fa89690c327 sp 00007fa88ffdb1a8 error 4 in libc-2.17.so[7fa8967c5000+1c4000]Red Hat Abrtd service was running, there is coredump and other files saved by it. Is there some additional information you would need to investigate the issue?
The package version is opendmarc-1.4.1-1.el7.x86_64 on CentOS7 and opendmarc-1.4.1-1.el8.x86_64 on CentOS8.
The text was updated successfully, but these errors were encountered: