CVE-2020-7247 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Critical
Remote	Yes
Type	Arbitrary command execution
Description	smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1090	opensmtpd	6.6.1p1-1	6.6.2p1-1	Critical	Fixed

Date	Advisory	Group	Package	Severity	Type
29 Jan 2020	ASA-202001-6	AVG-1090	opensmtpd	Critical	arbitrary command execution

References
https://www.openwall.com/lists/oss-security/2020/01/28/3 https://github.com/OpenSMTPD/OpenSMTPD/commit/d2688c097e0ff53037c7403e09426771876a3907 https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45

References

https://www.openwall.com/lists/oss-security/2020/01/28/3
https://github.com/OpenSMTPD/OpenSMTPD/commit/d2688c097e0ff53037c7403e09426771876a3907
https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45