Hello Exim Users and Exim Developers, some of you may have noticed already CVE-2017-1000369. It is related to a stack/heap clash. For more information see https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
As it is possible to abuse Exim as a tool to exploit this vulnerability in the underlying system, Qualys asked us to do a small change in Exim. We want to point out that is is *NOT* Exim, that is vulnerable. But Exim can be used as a vector to exploit a vulnerable system. (Technical detail: it was possible to leak memory by (repeated) use of -p<protocol>. During normal operation this didn't matter, because this option is used only once, and the forgotten memory gets freed by the OS on exit of the short lived process.) Yesterday, June 19th, 15.00UTC Qualys released the information to the public. The distro packagers where informed in advance, so distribution packages of Exim should be fixed already (in Debian Stretch it is, for other distros I do not know.) IF your distribution updated the packaged version of Exim OR the underlying system THEN you're safe already and can stop reading. ELSE keep on reading. For simplicity I just append the information I sent out to the distro packagers some days ago: ----- Forwarded message from Heiko Schlittermann <h...@schlittermann.de> ----- Date: Sun, 18 Jun 2017 10:54:04 +0200 From: Heiko Schlittermann <h...@schlittermann.de> To: Operating system distro security contacts <dist...@vs.openwall.org> Subject: Re: CVE-2017-1000369 | Exim 4.89+fixes Heiko Schlittermann <h...@schlittermann.de> (Do 15 Jun 2017 00:00:04 CEST): > Hello packagers of Exim, … > We got CVE-2017-1000369 for a vulnerability that can be exploited > through Exim. As Exim itself is not exploitable, and as we do not > understand the fix as a security issue in Exim itself, we do not see a > reason for a point release. > > We have a small patch already. As soon as possible I'll publish an > exim-4_89+fixes branch. I'll put there some additional backported > (from devel branch) minor security enhancements and send you an > notification as soon as the +fixes branch is available. As we are somewhat delayed with creating a new (point?) release, I'd kindly ask you to include tis commit into your packaged versions of Exim: 65e061b76867a9ea7aeeb535341b790b90ae6c21 There should be no impact for ordninary users of Exim. It prevents the multiple use of '-p <protocol>' option for the command line invocation. (There is probably no use case for doing so.) By this small patch we can help improving the security of the underlying system. This commit is part of the current, but not yet released master branch. We'll prepare a new Exim version, or do a point release, including this commit. Until this is done, please include this patch manually. In case you do not have access to the Git repo, the patch is attached to this message. It should apply cleanly. Thank you for your understanding. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - commit 65e061b76867a9ea7aeeb535341b790b90ae6c21 Author: Heiko Schlittermann (HS12-RIPE) <h...@schlittermann.de> Date: Wed May 31 23:08:56 2017 +0200 Cleanup (prevent repeated use of -p/-oMr to avoid mem leak) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 06373ccd..7816bc26 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -4274,7 +4274,7 @@ or &%-bs%& is used. For &%-bh%&, the protocol is forced to one of the standard SMTP protocol names (see the description of &$received_protocol$& in section &<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by one of those same names. For &%-bS%& (batched SMTP) however, the protocol can -be set by &%-oMr%&. +be set by &%-oMr%&. Repeated use of this option is not supported. .vitem &%-oMs%&&~<&'host&~name'&> .oindex "&%-oMs%&" @@ -4374,6 +4374,7 @@ host name and its colon can be omitted when only the protocol is to be set. Note the Exim already has two private options, &%-pd%& and &%-ps%&, that refer to embedded Perl. It is therefore impossible to set a protocol value of &`d`& or &`s`& using this option (but that does not seem a real limitation). +Repeated use of this option is not supported. .vitem &%-q%& .oindex "&%-q%&" diff --git a/src/src/exim.c b/src/src/exim.c index 67583e58..88e11977 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++) /* -oMr: Received protocol */ - else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; + else if (Ustrcmp(argrest, "Mr") == 0) + + if (received_protocol) + { + fprintf(stderr, "received_protocol is set already\n"); + exit(EXIT_FAILURE); + } + else received_protocol = argv[++i]; /* -oMs: Set sender host name */ @@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++) if (*argrest != 0) { - uschar *hn = Ustrchr(argrest, ':'); + uschar *hn; + + if (received_protocol) + { + fprintf(stderr, "received_protocol is set already\n"); + exit(EXIT_FAILURE); + } + + hn = Ustrchr(argrest, ':'); if (hn == NULL) { received_protocol = argrest; ----- End forwarded message -----
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##