If some of you have servers running OpenSMTPD, an update is in order:
https://www.openwall.com/lists/oss-security/2020/01/28/3
Dare I suggest Postfix, which has multiple layers of defense against
bugs of this sort.
The fact that recently developed software, reportedly designed with
security as a major goal, has a bug of this sort, is disappointing, but
also not that surprising:
* OpenSMTPD executes local delivery agents via a shell:
asprintf(&dispatcher->u.local.command,
"/usr/libexec/mail.local -f %%{mbox.from} %{user.username}");
execle("/bin/sh", "/bin/sh", "-c", mda_command, (char *)NULL,
mda_environ);
with the only barrier between safety and disaster a single sanity
check.
* OpenSMTPD is willing to deliver mail to root with root's privileges
* Perhaps more weakpoints, but those two are quite enough...
Thanks again Wietse, no sleepless nights fighting the next email worm
(or wondering who's been breaking into my MTA) for me...
--
Viktor.
