Re: [Exim] [Security-l] lil' exim format bug (fwd)

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Chris Thompson
CC: exim-users
Subject: Re: [Exim] [Security-l] lil' exim format bug (fwd)
On Thu, 7 Jun 2001, Chris Thompson wrote:

> I have no reason to doubt that the one-line source patch already posted
> is a complete fix for the problem.


Yes. I agree that that is the correct fix. So I hereby declare it
"official".

Everybody should apply it. Strictly, contrary to what the original
posted said, it does not apply only when header checking is set. It
applies to any kind of SMTP response that includes quote from the SMTP
input. However, it does look as though the header-checking reponses are
the main case where this happens, though it may also happen for sender
verification error messages.

HOWEVER, the problem is restricted only to the case of batch SMTP - that
is, when Exim called with the -bS option. That means it is not an
exposure to external SMTP calls.

> I can confirm that the bug is currently still present in Philip's exim3
> development source tree. On the other hand some very similar code in
> the exim4 tree appears to be fixed: maybe I shouldn't speculate on how
> that happened until the author is here to explain ... :)


I can't explain! I've been pulling a lot of code to pieces and working
on it for Exim 4, so presumably I noticed the problem at some point and
fixed it, without thinking of retro-fitting it to Exim 3. (I probably
just thought it was an infelicity, and didn't think of it in a security
context. I don't have the right kind of devious mind to think up
security attacks.)

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.