[Exim] Minor security bug

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: exim-users, exim-announce
Subject: [Exim] Minor security bug
A minor security problem has been found in Exim 3 and 4 (many thanks to
Nick Cleaton). The bug is not thought to be exploitable, but one can
never be absolutely certain.

The bug is fixed in Exim 4.21, which I have just released. Patches for
Exim 4.20 and Exim 3.36 are below. For other releases, these patches may
also work, or can be trivially adapted if the patch program has problems
with the line numbers. The actual code in question has hardly changed
for many years.

Philip

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.




----------------- Patch for Exim 4.20 -----------------

*** exim-4.20/src/smtp_in.c Mon May 12 14:39:22 2003
--- smtp_in.c     Wed Aug 13 14:26:01 2003
***************
*** 1967,1978 ****


      if (!check_helo(smtp_data))
        {
-       uschar *s;
        smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
-       if (*smtp_data == 0) Ustrcpy(smtp_data, "(no argument given)");
-       s = string_printing(smtp_data);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
!         "invalid argument(s): %s", hello, host_and_ident(FALSE), s);
        break;
        }


--- 1967,1977 ----

      if (!check_helo(smtp_data))
        {
        smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
!         "invalid argument(s): %s", hello, host_and_ident(FALSE),
!         (*smtp_data == 0)? US"(no argument given)" :
!                            string_printing(smtp_data));
        break;
        }


----------------------------------------------------------------



----------------- Patch for Exim 3.36 -----------------


*** exim-3.36/src/smtp_in.c Thu Apr  4 13:56:20 2002
--- smtp_in.c    Thu Aug 14 09:09:33 2003
***************
*** 2021,2033 ****


      if (!check_helo(smtp_data))
        {
!       char *s;
!       smtp_printf("501 syntactically invalid %s argument(s)\r\n", hello);
!       if (*smtp_data == 0) strcpy(smtp_data, "(no argument given)");
!       s = string_printing(smtp_data);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
          "invalid argument(s): %s", hello,
!         (sender_fullhost == NULL)? "local process" : sender_fullhost, s);
        break;
        }


--- 2021,2032 ----

      if (!check_helo(smtp_data))
        {
!       smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
          "invalid argument(s): %s", hello,
!         (sender_fullhost == NULL)? "local process" : sender_fullhost,
!         (*smtp_data == 0)? "(no argument given)" :
!                            string_printing(smtp_data));
        break;
        }


----------------------------------------------------------------