Bug 1173208 - (CVE-2020-12063) VUL-1: CVE-2020-12063: postfix: an attacker may send an email from an arbitrary-looking sender via a homoglyph attack
(CVE-2020-12063)
VUL-1: CVE-2020-12063: postfix: an attacker may send an email from an arbitra...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/258405/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-22 12:46 UTC by Wolfgang Frisch
Modified: 2020-06-22 12:47 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-06-22 12:46:11 UTC
CVE-2020-12063

A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a "Sender address rejected: not logged in" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1848850
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12063
https://www.openwall.com/lists/oss-security/2020/04/23/12
https://www.openwall.com/lists/oss-security/2020/04/23/3
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12063.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12063
Comment 1 Wolfgang Frisch 2020-06-22 12:47:38 UTC
This is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability.
CVE disputed.