Bug#826646: Incorrect handling with initial_cwd variable
Control: notfound -1 4.80 Control: found -1 4.80-7+deb7u2 Control: found -1 4.84.2-1 On 2016-06-12 Серж ИвановЪwrote: > I would like to point out that this bug also affects current debian stable > exim package. [...] > Do I need to file a bug report for debian jessie (exim4-4.84) version? Not necessary, I will simply tell the debian BTS which versions have the bug. I am not sure this will be fixed in wheezy, though. There won't be any more regular stable updates, there is only LTS support and I am not sure this kind of issue qualifies for LTS. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#826646: Incorrect handling with initial_cwd variable
I would like to point out that this bug also affects current debian stable exim package. To verify one would need to examine exim source package for debian jessie apt-get source exim4 grep -A 8 "To be safe: change the working directory to" ./exim4-4.84.2/src/exim.c """ /* To be safe: change the working directory to /. */ if (Uchdir("/") < 0) { perror("exim: chdir `/': "); exit(EXIT_FAILURE); } /* Store the initial cwd before we change directories */ if ((initial_cwd = getcwd(NULL, 0)) == NULL) """ This is exactly the same error as in oldstable, we are doing chroot BEFORE initial_cwd handling So this upstream patch is also applicable https://github.com/Exim/exim/commit/3de973a29de6852d61ba9bf1845835d08ca5a5ab#diff-6e46fb11179cb7da978360d317a92ee0 Do I need to file a bug report for debian jessie (exim4-4.84) version? Thanks
Bug#826646: Incorrect handling with initial_cwd variable
On 2016-06-10 Серж ИвановЪwrote: > Our friends at Ubuntu released initial_cwd security patch correctly from > the start. > Here is a relevant change log: > http://changelogs.ubuntu.com/changelogs/pool/main/e/exim4 > /exim4_4.82-3ubuntu2.1/changelog > "debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened the > main config." > Some feedback would be greatly appreciated. Thanks for the pointer, I will try to get a fix approved for the next oldstable release. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#826646: Incorrect handling with initial_cwd variable
Our friends at Ubuntu released initial_cwd security patch correctly from the start. Here is a relevant change log: http://changelogs.ubuntu.com/changelogs/pool/main/e/exim4 /exim4_4.82-3ubuntu2.1/changelog "debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened the main config." Some feedback would be greatly appreciated.
Bug#826646: Incorrect handling with initial_cwd variable
Package: exim4 Priority: standard Version: 4.80 Currently exim4 debian package handles CWD parameter not correctly. This fix introduced security patch to store CWD into additional variable named initial_cwd and it was applied in debian exim packages. https://bugs.exim.org/show_bug.cgi?id=1805 Before this security fix (Bug 1805), upstream introduced some additional changes to CWD handling code, this fix was not applied by debian package maintainers. https://github.com/Exim/exim/commit/3de973a29de6852d61ba9bf1845835d08ca5a5ab#diff-6e46fb11179cb7da978360d317a92ee0 Current behavior overrides CWD BEFORE any CWD handling could occur. Uchdir("/") occurs before initial_cwd reads current working directory. This bug applies to exim in stable and oldstable distribution. This bug can be reproduced by adding this code "warn logwrite = $initial_cwd" into acl_not_smtp_start config section While sending email using plain sendmail, exim4 mail.log has to contain initial working directory of calling process but instead it contains already chrooted patch "/" This is a serious bug, it breaks logic of many spam handling software and should be fixed soon.