commit 3383c69f1802e4d82f492625bc853a80611b5106 Author: Arkadiusz Miśkiewicz <ar...@maven.pl> Date: Tue Oct 3 15:10:21 2023 +0200
Fixes are now part of a branch patch. CVE-2023-42114+42115+42116-fixes.patch | 306 --------------------------------- exim.spec | 6 +- 2 files changed, 2 insertions(+), 310 deletions(-) --- diff --git a/exim.spec b/exim.spec index 89ac53b..1f87b83 100644 --- a/exim.spec +++ b/exim.spec @@ -49,7 +49,7 @@ Source15: %{name}4-smtp.pamd Source16: %{name}on.png # sh branch.sh Patch100: %{name}-git.patch -# Patch100-md5: a08ce639b3a3652899a84ff606e66517 +# Patch100-md5: e915e596f4bdd857f1e6b5881d57b835 Patch0: %{name}4-EDITME.patch Patch1: %{name}4-monitor-EDITME.patch Patch2: %{name}4-cflags.patch @@ -62,8 +62,7 @@ Patch6: 90_localscan_dlopen-fixes.dpatch Patch7: linelength-show.patch Patch8: %{name}-spam-timeout.patch Patch9: autoreply-return-path.patch -Patch10: CVE-2023-42114+42115+42116-fixes.patch -Patch11: unofficial-hotfix.patch +Patch10: unofficial-hotfix.patch URL: http://www.exim.org/ %{?with_sasl:BuildRequires: cyrus-sasl-devel >= 2.1.0} BuildRequires: db-devel @@ -189,7 +188,6 @@ Pliki nagłówkowe dla Exima. %patch8 -p1 %patch9 -p2 %patch10 -p2 -%patch11 -p2 install %{SOURCE4} exim4.conf install %{SOURCE14} doc/config.samples.tar.bz2 diff --git a/CVE-2023-42114+42115+42116-fixes.patch b/CVE-2023-42114+42115+42116-fixes.patch deleted file mode 100644 index 15d7047..0000000 --- a/CVE-2023-42114+42115+42116-fixes.patch +++ /dev/null @@ -1,306 +0,0 @@ -;+JH/01 Bug 2999: Fix a possible OOB write in the external authenticator, which -; could be triggered by externally-supplied input. Found by Trend Micro. -; CVE-2023-42115 -; -;JH/02 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could -; be triggered by externally-controlled input. Found by Trend Micro. -; CVE-2023-42116 -; -;JH/03 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could -; be triggered by externally-controlled input. Found by Trend Micro. -; CVE-2023-42114 -; -diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c -index 8d886b6b6..bb3d327d1 100644 ---- a/src/src/auths/auth-spa.c -+++ b/src/src/auths/auth-spa.c -@@ -155,6 +155,9 @@ int main (int argc, char ** argv) - up with a different answer to the one above) - */ - -+#ifndef MACRO_PREDEF -+ -+ - #define DEBUG_X(a,b) ; - - extern int DEBUGLEVEL; -@@ -1211,7 +1214,9 @@ char versionString[] = "libntlm version 0.21"; - - #define spa_bytes_add(ptr, header, buf, count) \ - { \ --if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \ -+if ( buf && (count) != 0 /* we hate -Wint-in-bool-contex */ \ -+ && ptr->bufIndex + count < sizeof(ptr->buffer) \ -+ ) \ - { \ - SSVAL(&ptr->header.len,0,count); \ - SSVAL(&ptr->header.maxlen,0,count); \ -@@ -1229,35 +1234,30 @@ else \ - - #define spa_string_add(ptr, header, string) \ - { \ --char *p = string; \ -+uschar * p = string; \ - int len = 0; \ --if (p) len = strlen(p); \ --spa_bytes_add(ptr, header, (US p), len); \ -+if (p) len = Ustrlen(p); \ -+spa_bytes_add(ptr, header, p, len); \ - } - - #define spa_unicode_add_string(ptr, header, string) \ - { \ --char *p = string; \ --uschar *b = NULL; \ -+uschar * p = string; \ -+uschar * b = NULL; \ - int len = 0; \ - if (p) \ - { \ -- len = strlen(p); \ -- b = strToUnicode(p); \ -+ len = Ustrlen(p); \ -+ b = US strToUnicode(CS p); \ - } \ - spa_bytes_add(ptr, header, b, len*2); \ - } - - --#define GetUnicodeString(structPtr, header) \ --unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) --#define GetString(structPtr, header) \ --toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) -- - #ifdef notdef - - #define DumpBuffer(fp, structPtr, header) \ --dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) -+ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) - - - static void -@@ -1321,8 +1321,33 @@ buf[len] = 0; - return buf; - } - -+static inline uschar * -+get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) -+{ -+int off = IVAL(&hdr->offset, 0); -+int len = SVAL(&hdr->len, 0); -+return off + len < sizeof(SPAAuthChallenge) -+ ? US unicodeToString(CS challenge + off, len/2) : US""; -+} -+ -+static inline uschar * -+get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) -+{ -+int off = IVAL(&hdr->offset, 0); -+int len = SVAL(&hdr->len, 0); -+return off + len < sizeof(SPAAuthChallenge) -+ ? US toString(CS challenge + off, len) : US""; -+} -+ - #ifdef notdef - -+#define GetUnicodeString(structPtr, header) \ -+ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) -+ -+#define GetString(structPtr, header) \ -+ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) -+ -+ - void - dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) - { -@@ -1366,15 +1391,15 @@ fprintf (fp, " Flags = %08x\n", IVAL (&response->flags, 0)); - #endif - - void --spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain) -+spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain) - { --char *u = strdup (user); --char *p = strchr (u, '@'); -+uschar * u = string_copy(user); -+uschar * p = Ustrchr(u, '@'); - - if (p) - { - if (!domain) -- domain = p + 1; -+ domain = p + 1; - *p = '\0'; - } - -@@ -1384,7 +1409,6 @@ SIVAL (&request->msgType, 0, 1); - SIVAL (&request->flags, 0, 0x0000b207); /* have to figure out what these mean */ - spa_string_add (request, user, u); - spa_string_add (request, domain, domain); --free (u); - } - - -@@ -1475,16 +1499,16 @@ free (u); - - void - spa_build_auth_response (SPAAuthChallenge * challenge, -- SPAAuthResponse * response, char *user, -- char *password) -+ SPAAuthResponse * response, uschar * user, -+ uschar * password) - { - uint8x lmRespData[24]; - uint8x ntRespData[24]; - uint32x cf = IVAL(&challenge->flags, 0); --char *u = strdup (user); --char *p = strchr (u, '@'); --char *d = NULL; --char *domain; -+uschar * u = string_copy(user); -+uschar * p = Ustrchr(u, '@'); -+uschar * d = NULL; -+uschar * domain; - - if (p) - { -@@ -1492,33 +1516,33 @@ if (p) - *p = '\0'; - } - --else domain = d = strdup((cf & 0x1)? -- CCS GetUnicodeString(challenge, uDomain) : -- CCS GetString(challenge, uDomain)); -+else domain = d = string_copy(cf & 0x1 -+ ? CUS get_challenge_unistr(challenge, &challenge->uDomain) -+ : CUS get_challenge_str(challenge, &challenge->uDomain)); - --spa_smb_encrypt (US password, challenge->challengeData, lmRespData); --spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData); -+spa_smb_encrypt(password, challenge->challengeData, lmRespData); -+spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); - - response->bufIndex = 0; - memcpy (response->ident, "NTLMSSP\0\0\0", 8); - SIVAL (&response->msgType, 0, 3); - --spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0); --spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0); -+spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0); -+spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0); - - if (cf & 0x1) { /* Unicode Text */ -- spa_unicode_add_string (response, uDomain, domain); -- spa_unicode_add_string (response, uUser, u); -- spa_unicode_add_string (response, uWks, u); -+ spa_unicode_add_string(response, uDomain, domain); -+ spa_unicode_add_string(response, uUser, u); -+ spa_unicode_add_string(response, uWks, u); - } else { /* OEM Text */ -- spa_string_add (response, uDomain, domain); -- spa_string_add (response, uUser, u); -- spa_string_add (response, uWks, u); -+ spa_string_add(response, uDomain, domain); -+ spa_string_add(response, uUser, u); -+ spa_string_add(response, uWks, u); - } - --spa_string_add (response, sessionKey, NULL); -+spa_string_add(response, sessionKey, NULL); - response->flags = challenge->flags; -- --if (d != NULL) free (d); --free (u); - } -+ -+ -+#endif /*!MACRO_PREDEF*/ -diff --git a/src/src/auths/auth-spa.h b/src/src/auths/auth-spa.h -index cfe1b086d..3b0b3a9e3 100644 ---- a/src/src/auths/auth-spa.h -+++ b/src/src/auths/auth-spa.h -@@ -79,10 +79,10 @@ typedef struct - - void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); - int spa_base64_to_bits(char *, int, const char *); --void spa_build_auth_response (SPAAuthChallenge *challenge, -- SPAAuthResponse *response, char *user, char *password); --void spa_build_auth_request (SPAAuthRequest *request, char *user, -- char *domain); -+void spa_build_auth_response (SPAAuthChallenge * challenge, -+ SPAAuthResponse * response, uschar * user, uschar * password); -+void spa_build_auth_request (SPAAuthRequest * request, uschar * user, -+ uschar * domain); - extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8, - unsigned char * p24); - extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8, -diff --git a/src/src/auths/external.c b/src/src/auths/external.c -index 7e7fca841..790b98159 100644 ---- a/src/src/auths/external.c -+++ b/src/src/auths/external.c -@@ -103,7 +103,7 @@ if (expand_nmax == 0) /* skip if rxd data */ - if (ob->server_param2) - { - uschar * s = expand_string(ob->server_param2); -- auth_vars[expand_nmax] = s; -+ auth_vars[expand_nmax = 1] = s; - expand_nstring[++expand_nmax] = s; - expand_nlength[expand_nmax] = Ustrlen(s); - if (ob->server_param3) -diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c -index ff90d33a3..bfaccefda 100644 ---- a/src/src/auths/spa.c -+++ b/src/src/auths/spa.c -@@ -284,14 +284,13 @@ SPAAuthRequest request; - SPAAuthChallenge challenge; - SPAAuthResponse response; - char msgbuf[2048]; --char *domain = NULL; --char *username, *password; -+uschar * domain = NULL, * username, * password; - - /* Code added by PH to expand the options */ - - *buffer = 0; /* Default no message when cancelled */ - --if (!(username = CS expand_string(ob->spa_username))) -+if (!(username = expand_string(ob->spa_username))) - { - if (f.expand_string_forcedfail) return CANCELLED; - string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " -@@ -300,7 +299,7 @@ if (!(username = CS expand_string(ob->spa_username))) - return ERROR; - } - --if (!(password = CS expand_string(ob->spa_password))) -+if (!(password = expand_string(ob->spa_password))) - { - if (f.expand_string_forcedfail) return CANCELLED; - string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " -@@ -310,7 +309,7 @@ if (!(password = CS expand_string(ob->spa_password))) - } - - if (ob->spa_domain) -- if (!(domain = CS expand_string(ob->spa_domain))) -+ if (!(domain = expand_string(ob->spa_domain))) - { - if (f.expand_string_forcedfail) return CANCELLED; - string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " -@@ -330,7 +329,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) - - DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain); - --spa_build_auth_request(&request, CS username, domain); -+spa_build_auth_request(&request, username, domain); - spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request)); - - DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf); -@@ -347,7 +346,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) - DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4); - spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4)); - --spa_build_auth_response(&challenge, &response, CS username, CS password); -+spa_build_auth_response(&challenge, &response, username, password); - spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response)); - DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf); - ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/exim.git/commitdiff/3383c69f1802e4d82f492625bc853a80611b5106 _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit