Bug#826646: Incorrect handling with initial_cwd variable

[Andreas Metzler]

Control: notfound -1 4.80
Control: found -1 4.80-7+deb7u2
Control: found -1 4.84.2-1

On 2016-06-12 Серж ИвановЪ  wrote:
> I would like to point out that this bug also affects current debian stable
> exim package.
[...]
> Do I need to file a bug report for debian jessie (exim4-4.84) version?

Not necessary, I will simply tell the debian BTS which versions have the
bug.

I am not sure this will be fixed in wheezy, though. There won't be any
more regular stable updates, there is only LTS support and I am not sure
this kind of issue qualifies for LTS.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Bug#826646: Incorrect handling with initial_cwd variable

[Серж ИвановЪ]

I would like to point out that this bug also affects current debian stable
exim package.
To verify one would need to examine exim source package for debian jessie

apt-get source exim4
grep -A 8 "To be safe: change the working directory to"
./exim4-4.84.2/src/exim.c

"""
/* To be safe: change the working directory to /. */
if (Uchdir("/") < 0)
  {
perror("exim: chdir `/': ");
exit(EXIT_FAILURE);
  }

/* Store the initial cwd before we change directories */
if ((initial_cwd = getcwd(NULL, 0)) == NULL)
"""

This is exactly the same error as in oldstable, we are doing chroot BEFORE
initial_cwd handling

​So this upstream patch is also applicable
https://github.com/Exim/exim/commit/3de973a29de6852d61ba9bf1845835d08ca5a5ab#diff-6e46fb11179cb7da978360d317a92ee0

Do I need to file a bug report for debian jessie (exim4-4.84) version?

Thanks

Bug#826646: Incorrect handling with initial_cwd variable

[Andreas Metzler]

On 2016-06-10 Серж ИвановЪ  wrote:
> Our friends at Ubuntu released initial_cwd security patch correctly from
> the start.

> Here is a relevant change log:
> http://changelogs.ubuntu.com/changelogs/pool/main/e/exim4
> /exim4_4.82-3ubuntu2.1/changelog

> "debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened the
> main config."

> Some feedback would be greatly appreciated.

Thanks for the pointer, I will try to get a fix approved for the next
oldstable release.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Bug#826646: Incorrect handling with initial_cwd variable

[Серж ИвановЪ]

Our friends at Ubuntu released initial_cwd security patch correctly from
the start.

Here is a relevant change log:
http://changelogs.ubuntu.com/changelogs/pool/main/e/exim4
/exim4_4.82-3ubuntu2.1/changelog

"debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened the
main config."

Some feedback would be greatly appreciated.

Bug#826646: Incorrect handling with initial_cwd variable

[Серж ИвановЪ]

Package: exim4
Priority: standard
Version: 4.80

Currently exim4 debian package handles CWD parameter not correctly.

This fix introduced security patch to store CWD into additional variable
named initial_cwd and it was applied in debian exim packages.
https://bugs.exim.org/show_bug.cgi?id=1805

Before this security fix (Bug 1805), upstream introduced some additional
changes to CWD handling code, this fix was not applied by debian package
maintainers.
https://github.com/Exim/exim/commit/3de973a29de6852d61ba9bf1845835d08ca5a5ab#diff-6e46fb11179cb7da978360d317a92ee0

Current behavior overrides CWD BEFORE any CWD handling could occur.

Uchdir("/") occurs before initial_cwd reads current working directory.

This bug applies to exim in stable and oldstable distribution.

This bug can be reproduced by adding this code "warn logwrite =
$initial_cwd" into acl_not_smtp_start config section

While sending email using plain sendmail, exim4 mail.log has to contain
initial working directory of calling process but instead it contains
already chrooted patch "/"

This is a serious bug, it breaks logic of many spam handling software and
should be fixed soon.