First published: Mon Jul 27 2020(Updated: )
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ubuntu/opendmarc | <1.3.2-7ubuntu0.1 | 1.3.2-7ubuntu0.1 |
ubuntu/opendmarc | <1.3.2-3ubuntu0.2 | 1.3.2-3ubuntu0.2 |
ubuntu/opendmarc | <1.4.0~ | 1.4.0~ |
ubuntu/opendmarc | <1.3.1+dfsg-3ubuntu0.1~ | 1.3.1+dfsg-3ubuntu0.1~ |
<=1.3.2 | ||
=1.4.0-beta0 | ||
=1.4.0-beta1 | ||
=33 | ||
=34 | ||
=9.0 | ||
Trusteddomain Opendmarc | <=1.3.2 | |
Trusteddomain Opendmarc | =1.4.0-beta0 | |
Trusteddomain Opendmarc | =1.4.0-beta1 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
Debian Debian Linux | =9.0 | |
debian/opendmarc | 1.3.2-6+deb10u2 1.3.2-6+deb10u4 1.4.0~beta1+dfsg-6+deb11u1 1.4.2-2 1.4.2-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-12460 is high.
CVE-2020-12460 occurs due to improper null termination in the function opendmarc_xml_parse.
The impact of CVE-2020-12460 is a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report, which can cause remote memory corruption.
OpenDMARC versions 1.3.2 through 1.3.2-6+deb10u4, 1.4.x through 1.4.0-Beta1, 1.4.0~beta1+dfsg-6+deb11u1, 1.4.2-2, and 1.4.2-3 are affected by CVE-2020-12460.
To fix CVE-2020-12460, update OpenDMARC to a version that includes the necessary remedy, such as version 1.3.2-6+deb10u4 or later.