[packages/exim] Rel 25; unofficial hotfix for some of recent SECURITY issues (timelime for official (they exist but
arekm
arekm at pld-linux.org
Sun Oct 1 17:48:47 CEST 2023
commit 05c80ef30111128a0c6d1568b9691559161c255f
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Sun Oct 1 17:16:31 2023 +0200
Rel 25; unofficial hotfix for some of recent SECURITY issues (timelime for official (they exist but are not public) fixes is unknown)
exim.spec | 6 +-
unofficial-hotfix.patch | 151 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 155 insertions(+), 2 deletions(-)
---
diff --git a/exim.spec b/exim.spec
index c07cf98..8a3e69d 100644
--- a/exim.spec
+++ b/exim.spec
@@ -23,7 +23,7 @@ Summary(pl.UTF-8): Agent Transferu Poczty Uniwersytetu w Cambridge
Summary(pt_BR.UTF-8): Servidor de correio eletrônico exim
Name: exim
Version: 4.96
-Release: 24
+Release: 25
Epoch: 2
License: GPL v2+
Group: Networking/Daemons/SMTP
@@ -49,7 +49,7 @@ Source15: %{name}4-smtp.pamd
Source16: %{name}on.png
# sh branch.sh
Patch100: %{name}-git.patch
-# Patch100-md5: 0ea3e11e6f8a3371f1ffe042a9f7a83c
+# Patch100-md5: a08ce639b3a3652899a84ff606e66517
Patch0: %{name}4-EDITME.patch
Patch1: %{name}4-monitor-EDITME.patch
Patch2: %{name}4-cflags.patch
@@ -62,6 +62,7 @@ Patch6: 90_localscan_dlopen-fixes.dpatch
Patch7: linelength-show.patch
Patch8: %{name}-spam-timeout.patch
Patch9: autoreply-return-path.patch
+Patch10: unofficial-hotfix.patch
URL: http://www.exim.org/
%{?with_sasl:BuildRequires: cyrus-sasl-devel >= 2.1.0}
BuildRequires: db-devel
@@ -186,6 +187,7 @@ Pliki nagłówkowe dla Exima.
%patch7 -p1
%patch8 -p1
%patch9 -p2
+%patch10 -p2
install %{SOURCE4} exim4.conf
install %{SOURCE14} doc/config.samples.tar.bz2
diff --git a/unofficial-hotfix.patch b/unofficial-hotfix.patch
new file mode 100644
index 0000000..c7cc282
--- /dev/null
+++ b/unofficial-hotfix.patch
@@ -0,0 +1,151 @@
+Date: Sun, 1 Oct 2023 11:33:26 +0200
+To: exim-dev at lists.exim.org
+From: Florian Zumbiehl via Exim-dev <exim-dev at lists.exim.org>
+
+Hi,
+
+below you find a patch that fixes some (probably three?) of what I guess are
+the vulnerabilities reported by ZDI.
+
+Please note that the patch is only mildly tested, it is developed based on
+the git master branch, but can be applied to older versions with minor
+massaging. If you go back far enough, proxy.c was part of smtp_in.c, but if
+you adjust for that, the patch can be made to apply there, too.
+
+Obviously, I have no idea whether this actually addresses what ZDI has
+reported, but if not, these probably should be fixed, too, and if so, given
+the fact that I managed to rather easily find these vulnerabilities based
+on the information that's publicly available, I don't think there is much
+point to trying to keep this secret any longer--if anything, it's
+counterproductive.
+
+Also mind you that this is a hot fix, it's neither elegant, nor does it do
+any useful error reporting, the goal was simply to prevent out of bounds
+accesses.
+
+Florian
+
+---
+
+diff --git a/src/src/auths/external.c b/src/src/auths/external.c
+index 078aad0..54966e6 100644
+--- a/src/src/auths/external.c
++++ b/src/src/auths/external.c
+@@ -101,6 +101,9 @@ if (expand_nmax == 0) /* skip if rxd data */
+ if ((rc = auth_prompt(CUS"")) != OK)
+ return rc;
+
++if (expand_nmax != 1)
++ return FAIL;
++
+ if (ob->server_param2)
+ {
+ uschar * s = expand_string(ob->server_param2);
+diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
+index 222ccea..66967d6 100644
+--- a/src/src/auths/spa.c
++++ b/src/src/auths/spa.c
+@@ -166,12 +166,18 @@ if (auth_get_no64_data(&data, msgbuf) != OK)
+ return FAIL;
+
+ /* dump client response */
+-if (spa_base64_to_bits(CS &response, sizeof(response), CCS data) < 0)
++int l = spa_base64_to_bits(CS &response, sizeof(response), CCS data);
++if (l < 0)
+ {
+ DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
+ "response: %s\n", data);
+ return FAIL;
+ }
++if(l < (char *)&response.buffer - (char *)&response)return FAIL;
++unsigned long o = IVAL(&response.uUser.offset, 0);
++if((l < o) || (l - o < SVAL(&response.uUser.len, 0)))return FAIL;
++o = IVAL(&response.ntResponse.offset, 0);
++if((l < o) || (l - o < 24))return FAIL;
+
+ /***************************************************************
+ PH 07-Aug-2003: The original code here was this:
+@@ -346,7 +352,10 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
+
+ /* convert the challenge into the challenge struct */
+ DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
+-spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
++int l = spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
++if((l < 0) || (l < (char *)&challenge.buffer - (char *)&challenge))return FAIL;
++unsigned long o = IVAL(&challenge.uDomain.offset, 0);
++if((l < o) || (l - o < SVAL(&challenge.uDomain.len, 0)))return FAIL;
+
+ spa_build_auth_response(&challenge, &response, CS username, CS password);
+ spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
+diff --git a/src/src/proxy.c b/src/src/proxy.c
+index fbce111..8dd7034 100644
+--- a/src/src/proxy.c
++++ b/src/src/proxy.c
+@@ -93,6 +93,8 @@ while (capacity > 0)
+ do { ret = read(fd, to, 1); } while (ret == -1 && errno == EINTR && !had_command_timeout);
+ if (ret == -1)
+ return -1;
++ if (!ret)
++ break;
+ have++;
+ if (last)
+ return have;
+@@ -254,6 +256,8 @@ if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))
+ goto proxyfail;
+ }
+
++ if (ret < 16)
++ goto proxyfail;
+ /* The v2 header will always be 16 bytes per the spec. */
+ size = 16 + ntohs(hdr.v2.len);
+ DEBUG(D_receive) debug_printf("Detected PROXYv2 header, size %d (limit %d)\n",
+@@ -274,7 +278,7 @@ if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))
+ {
+ retmore = read(fd, (uschar*)&hdr + ret, size-ret);
+ } while (retmore == -1 && errno == EINTR && !had_command_timeout);
+- if (retmore == -1)
++ if (retmore < 1)
+ goto proxyfail;
+ DEBUG(D_receive) proxy_debug(US &hdr, ret, ret + retmore);
+ ret += retmore;
+@@ -297,6 +301,8 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
+ switch (hdr.v2.fam)
+ {
+ case 0x11: /* TCPv4 address type */
++ if (ret < 28)
++ goto proxyfail;
+ iptype = US"IPv4";
+ tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
+ inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
+@@ -323,6 +329,8 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
+ proxy_external_port = tmpport;
+ goto done;
+ case 0x21: /* TCPv6 address type */
++ if (ret < 52)
++ goto proxyfail;
+ iptype = US"IPv6";
+ memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
+ inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
+@@ -381,10 +389,13 @@ else if (ret >= 8 && memcmp(hdr.v1.line, "PROXY", 5) == 0)
+ goto proxyfail;
+ ret += r2;
+
++ if(ret > 107)
++ goto proxyfail;
++ hdr.v1.line[ret] = 0;
+ p = string_copy(hdr.v1.line);
+ end = memchr(p, '\r', ret - 1);
+
+- if (!end || (end == (uschar*)&hdr + ret) || end[1] != '\n')
++ if (!end || end[1] != '\n')
+ {
+ DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
+ goto proxyfail;
+
+--
+## subscription configuration (requires account):
+## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
+## unsubscribe (doesn't require an account):
+## exim-dev-unsubscribe at lists.exim.org
+## Exim details at http://www.exim.org/
+## Please use the Wiki with this list - http://wiki.exim.org/
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/exim.git/commitdiff/05c80ef30111128a0c6d1568b9691559161c255f
More information about the pld-cvs-commit
mailing list