CVE-2020-8793

Priority
Description
OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on
some Linux distributions) because of a combination of an untrusted search
path in makemap.c and race conditions in the offline functionality in
smtpd.c.
Mitigation
Ubuntu ships with /proc/sys/fs/protected_hardlinks enabled by default,
making this vulnerability not exploitable.
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):released (6.0.3p1-1ubuntu0.2)
Ubuntu 19.10 (Eoan Ermine):released (6.0.3p1-6ubuntu0.2)
Ubuntu 20.04 (Focal Fossa):released (6.6.4p1-1)
This vulnerability is mitigated in part by the use of hardlink restrictions in Ubuntu. For more details see https://wiki.ubuntu.com/Security/Features#hardlink
More Information

Updated: 2020-03-18 21:44:54 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)