CVE-2020-7247 log

Source
Severity Critical
Remote Yes
Type Arbitrary command execution
Description
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Group Package Affected Fixed Severity Status Ticket
AVG-1090 opensmtpd 6.6.1p1-1 6.6.2p1-1 Critical Fixed
Date Advisory Group Package Severity Description
29 Jan 2020 ASA-202001-6 AVG-1090 opensmtpd Critical arbitrary command execution
References
https://www.openwall.com/lists/oss-security/2020/01/28/3
https://github.com/OpenSMTPD/OpenSMTPD/commit/d2688c097e0ff53037c7403e09426771876a3907
https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45