There is no doubt that this is a potentially exploitable security bug, and
that it exists in all recent versions of Exim up to and including 3.22.
The exact nature of what Exim can be made to do depends heavily on the
architecture, library routines, and compiler.
Philip is expected back here next Monday, and we will of course be drawing
his attention to this problem as soon as possible.
I have no reason to doubt that the one-line source patch already posted
is a complete fix for the problem.
I can confirm that the bug is currently still present in Philip's exim3
development source tree. On the other hand some very similar code in
the exim4 tree appears to be fixed: maybe I shouldn't speculate on how
that happened until the author is here to explain ... :)
Chris Thompson University of Cambridge Computing Service,
Email: cet1@??? New Museums Site, Cambridge CB2 3QG,
Phone: +44 1223 334715 United Kingdom.
