[FYI] [exim-announce] 2 smallish security issues

Rund um die Sicherheit des Systems und die Applikationen
Posts: 3840
Joined: 2003-01-21 01:59
Location: Sinsheim/Karlsruhe

[FYI] [exim-announce] 2 smallish security issues

Post by dodolin »

http://www.exim.org/mail-archives/exim- ... 00000.html

Code: Select all

Two relatively minor (IMHO) security issues in Exim were raised over the 
Christmas break. The patches below address them for the 4.43 release. The same 
patches will probably easily retrofit onto quite a number of prior releases. I
have also put these fixes into the current source, and made a new snapshot for
testing in


In addition to the security patches, this snapshot contains some bug fixes and
tidies that were reported by testers of the previous snapshot.

Discussion of security issues
- -----------------------------

1. The function host_aton() can overflow a buffer if it is presented with an 
   illegal IPv6 address that has more than 8 components. The input to this 
   function is supposed to be checked; the report said that an unchecked value 
   could be passed via the command line (without specifying which command line 
   option, annoyingly). I found one such case, which was a call do a dnsdb
   lookup for a PTR record, as part of testing expansions using -be. The first
   patch below fixes this - as it happens, this change had already been made to
   the current source. 
   The report stated that Exim was running as "exim" when the problem occurred:
   with -be, Exim runs as the calling user. Therefore, either the report was
   wrong, or there is another case that I could not find. However, if there is
   another case, it will now be covered by the second patch below, which puts a
   test into the host_aton() function itself. (This should, of course, have
   been there all the time, as a bit of defensive programming, but hey, I'm
   only human. :-)

2. The second report described a buffer overflow in the function 
   spa_base64_to_bits(), which is part of the code for SPA authentication. This 
   code originated in the Samba project. The overflow can be exploited only if 
   you are using SPA authentication. The remaining patches below fix this 
   problem by adding a buffer length parameter to the problem function. I have 
   tested that SPA authentication still works, but I don't have the tools to 
   test that an attempt to exploit the overflow is now detected.