untrusted comment: verify with openbsd-66-base.pub RWSvK/c+cFe24L6jVYz+aVHQ/ENpBVRU/kWppP9xvYQvjeHkYe0MQD+ccLKTwHtz3H3GoARE1M4owGKQDSsnYXVcWrPQFUDlZgg= OpenBSD 6.6 errata 019, January 30, 2020: An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user. Apply by doing: signify -Vep /etc/signify/openbsd-66-base.pub -x 019_smtpd_exec.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install smtpd: cd /usr/src/usr.sbin/smtpd make obj make make install Index: usr.sbin/smtpd/smtp_session.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtp_session.c,v retrieving revision 1.415 diff -u -p -r1.415 smtp_session.c --- usr.sbin/smtpd/smtp_session.c 4 Oct 2019 08:34:29 -0000 1.415 +++ usr.sbin/smtpd/smtp_session.c 26 Jan 2020 05:56:37 -0000 @@ -2215,24 +2215,22 @@ smtp_mailaddr(struct mailaddr *maddr, ch memmove(maddr->user, p, strlen(p) + 1); } - if (!valid_localpart(maddr->user) || - !valid_domainpart(maddr->domain)) { - /* accept empty return-path in MAIL FROM, required for bounces */ - if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') - return (1); + /* accept empty return-path in MAIL FROM, required for bounces */ + if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') + return (1); - /* no user-part, reject */ - if (maddr->user[0] == '\0') - return (0); - - /* no domain, local user */ - if (maddr->domain[0] == '\0') { - (void)strlcpy(maddr->domain, domain, - sizeof(maddr->domain)); - return (1); - } + /* no or invalid user-part, reject */ + if (maddr->user[0] == '\0' || !valid_localpart(maddr->user)) return (0); + + /* no domain part, local user */ + if (maddr->domain[0] == '\0') { + (void)strlcpy(maddr->domain, domain, + sizeof(maddr->domain)); } + + if (!valid_domainpart(maddr->domain)) + return (0); return (1); }