packages/opendmarc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!9 [sync] PR-6: fix CVE-2024-25768

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-05-07 09:22:16 +00:00 committed by Gitee
commit 83659a9627
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
fix-CVE-2024-25768.patch Normal file
View File

@ -0,0 +1,40 @@
From e6e0ceae014f9c8519ed52b9871ca0111b6ec468 Mon Sep 17 00:00:00 2001
From: wangshuo <wangshuo@kylinos.cn>
Date: Mon, 6 May 2024 14:32:49 +0800
Subject: [PATCH] fix CVE-2024-25768
Instead of:
if (list_buf != NULL || size_of_buf > 0)
the code at libopendmarc/opendmarc_policy.c#L1478 should be:
if (list_buf != NULL && size_of_buf > 0)
In the OpenDMARC project, this bug is out of reach,
as opendmarc_policy_fetch_ruf() is always called with both list_buf = NULL and size_of_buf = 0
opendmarc/opendmarc.c#L3289
ruv = opendmarc_policy_fetch_ruf(cc->cctx_dmarc, NULL, 0, TRUE);
opendmarc/opendmarc-check.c#L224
ruf = opendmarc_policy_fetch_ruf(dmarc, NULL, 0, 1);
However, this is a library function and may be used outside of this project in a way that could trigger the bug.
---
libopendmarc/opendmarc_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libopendmarc/opendmarc_policy.c b/libopendmarc/opendmarc_policy.c
index 32053db..43daedc 100644
--- a/libopendmarc/opendmarc_policy.c
+++ b/libopendmarc/opendmarc_policy.c
@@ -1475,7 +1475,7 @@ opendmarc_policy_fetch_ruf(DMARC_POLICY_T *pctx, u_char *list_buf, size_t size_o
{
return NULL;
}
- if (list_buf != NULL || size_of_buf > 0)
+ if (list_buf != NULL && size_of_buf > 0)
{
(void) memset(list_buf, '\0', size_of_buf);
sp = list_buf;
--
2.27.0

9
opendmarc.spec
View File

@ -4,11 +4,12 @@
Summary: A Domain-based Message Authentication, Reporting & Conformance (DMARC) milter and library Summary: A Domain-based Message Authentication, Reporting & Conformance (DMARC) milter and library
Name: opendmarc Name: opendmarc
Version: 1.4.2 Version: 1.4.2
Release: 2 Release: 3
License: BSD and Sendmail License: BSD and Sendmail
URL: http://www.trusteddomain.org/%{name}.html URL: http://www.trusteddomain.org/%{name}.html
Source0: https://github.com/trusteddomainproject/OpenDMARC/archive/refs/tags/rel-opendmarc-1-4-2.tar.gz Source0: https://github.com/trusteddomainproject/OpenDMARC/archive/refs/tags/rel-opendmarc-1-4-2.tar.gz
Patch01: opendmarc-1.4.0-ticket159-179.patch Patch01: opendmarc-1.4.0-ticket159-179.patch
Patch02: fix-CVE-2024-25768.patch
Requires: lib%{name}%{?_isa} = %{version}-%{release} Requires: lib%{name}%{?_isa} = %{version}-%{release}
@ -176,6 +177,12 @@ exit 0
%{_libdir}/*.so %{_libdir}/*.so
%changelog %changelog
* Mon May 06 2024 wangshuo <wangshuo@kylinos.cn> - 1.4.2-3
- Type:CVE
- ID:CVE-2024-25678
- SUG:NA
- DESC:fix CVE-2024-25678
* Wed Mar 1 2023 licihua <licihua@huawei.com> - 1.4.2-2 * Wed Mar 1 2023 licihua <licihua@huawei.com> - 1.4.2-2
- DESC:https://gitee.com/src-openeuler/opendmarc/issues/I6IQJM - DESC:https://gitee.com/src-openeuler/opendmarc/issues/I6IQJM