Package: exim4
Version: 4.84.2-1
Severity: normal
Tags: patch
Fixed upstream:
http://git.exim.org/exim.git/commit/9dc2b215e83a63efa242f6acd3ab7af8b608e5a1
Fix is in 4.87 and stretch. Broken in jessie. Patch attached.
Using plaintext password file generated with OpenBSD htpasswd (bcrypt),
exim crashes with a NPD on every authentication.
Stack trace:
#0 __strcmp_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:29
#1 * in eval_condition (s=0x7ff5b53a4948 "{1}{0}}",
resetok=0x7ffe1b7a3eb4, yield=0x7ffe1b7a4000) at expand.c:2737
#2 * in expand_string_internal (
string=0x7ff5b53a48e8 "${if
crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}
skipping=0, honour_dollar=1, resetok_p=0x0) at expand.c:3993
#3 * in expand_string (
string=0x7ff5b53a48e8 "${if
crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}
#4 * in auth_check_some_cond (ablock=0x7ff5b53a4830,
label=0x7ff5b33ae6ff "server_condition",
condition=0x7ff5b53a48e8 "${if
crypteq{$auth3}{${extract{1}{:}{${lookup{$aut
at check_serv_cond.c:88
#5 * in auth_check_serv_cond (ablock=0x7ff5b53a4830)
at check_serv_cond.c:35
#6 * in auth_plaintext_server (ablock=0x7ff5b53a4830,
data=0x7ff5b53ae317 "*") at plaintext.c:144
#7 * in smtp_setup_msg () at smtp_in.c:3263
#8 * in handle_smtp_call (listen_sockets=0x7ff5b53a7368,
listen_socket_count=4, accept_socket=8, accepted=0x7ffe1b7a55c0)
at daemon.c:511
#9 * in daemon_go () at daemon.c:2032
#10 * in main (argc=3, cargv=0x7ffe1b7e5d98) at exim.c:4690
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -2791,7 +2791,7 @@ switch(cond_type)
#define XSTR(s) STR(s)
DEBUG(D_auth) debug_printf("crypteq: using %s()\n"
" subject=%s\n crypted=%s\n",
- (which == 0)? XSTR(DEFAULT_CRYPT) : (which == 1)? "crypt" : "crypt16",
+ which == 0 ? XSTR(DEFAULT_CRYPT) : which == 1 ? "crypt" : "crypt16",
coded, sub[1]);
#undef STR
#undef XSTR
@@ -2800,8 +2800,16 @@ switch(cond_type)
salt), force failure. Otherwise we get false positives: with an empty
string the yield of crypt() is an empty string! */
- tempcond = (Ustrlen(sub[1]) < 2)? FALSE :
- (Ustrcmp(coded, sub[1]) == 0);
+ if (coded)
+ tempcond = Ustrlen(sub[1]) < 2 ? FALSE : Ustrcmp(coded, sub[1]) == 0;
+ else if (errno == EINVAL)
+ tempcond = FALSE;
+ else
+ {
+ expand_string_message = string_sprintf("crypt error: %s\n",
+ US strerror(errno));
+ return NULL;
+ }
}
break;
#endif /* SUPPORT_CRYPTEQ */