smtpmailaddr in smtpsession.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
{ "vanir_signatures": [ { "signature_version": "v1", "target": { "file": "usr.sbin/smtpd/smtp_session.c" }, "deprecated": false, "source": "https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45", "digest": { "line_hashes": [ "146958479146620846539546414962359749417", "145804354479718942648469601420943504881", "50866359851508526042491977853727488282", "207177037661277233987566775936640071114", "256454692897472681432177734798303501079", "333579557200389565105833963070610317524", "151964549180595370813610698553145369373", "164042760444352403035042736481382744972", "157779360057984813910033772595342582972", "128067893643618281774819757885083806704", "92864325646592764248353712193035702172", "80056390225257104560475256115545599826", "33586722040586328695311359832171375475", "116533349178807723563281035809734756036", "319598776653868670885544067356391424772", "134792771592966456779690561609829698813", "43264858727266399511000037806169423068" ], "threshold": 0.9 }, "signature_type": "Line", "id": "CVE-2020-7247-1439a3f1" }, { "signature_version": "v1", "target": { "file": "usr.sbin/smtpd/smtp_session.c", "function": "smtp_mailaddr" }, "deprecated": false, "source": "https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45", "digest": { "length": 902.0, "function_hash": "81829132623799367638487615930946742238" }, "signature_type": "Function", "id": "CVE-2020-7247-ba7fc816" } ] }