CVE-2020-8794: 
NixOS vulnerability analysis and mitigation

OpenSMTPD before version 6.6.4 contains a vulnerability (CVE-2020-8794) that allows remote code execution due to an out-of-bounds read in mta_io function in mta_session.c when handling multi-line replies. This vulnerability was introduced in December 2015 and affects both client-side and server-side code, leading to arbitrary shell command execution either as root (after May 2018) or as any non-root user (before May 2018) (Qualys Advisory, NVD).

The vulnerability exists in OpenSMTPD's client-side code that handles multi-line SMTP server replies. The issue occurs in the mta_io function when parsing the last line of a multi-line reply. If the three-digit code is not followed by the optional space and text, a pointer points to the first character after the line's null terminator, causing an out-of-bounds read when the string is concatenated into the reply buffer (Trend Micro, Qualys Advisory).

The vulnerability can be exploited in two ways: 1) Client-side exploitation where an attacker controlling a malicious SMTP server can execute arbitrary commands on systems using OpenSMTPD's default configuration, and 2) Server-side exploitation where an attacker can send specially crafted emails to trigger command execution after the service is restarted. The impact is particularly severe as it can lead to root privilege escalation in systems using the 'mbox' delivery method (Qualys Advisory).

The vulnerability has been patched in OpenSMTPD version 6.6.4. System administrators should update their OpenSMTPD installations to this version or later. For Debian systems, fixes are available in version 6.0.2p1-2+deb9u3 for oldstable (stretch) and version 6.0.3p1-5+deb10u4 for stable (buster). Ubuntu users should update to version 6.0.3p1-6ubuntu0.2 for 19.10 and 6.0.3p1-1ubuntu0.2 for 18.04 LTS (Debian Security Advisory, Ubuntu Security Notice).