[Exim] Minor security bug

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
M\Florian Laws at ->
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: exim-users, exim-announce
Subject: [Exim] Minor security bug
A minor security problem has been found in Exim 3 and 4 (many thanks to
Nick Cleaton). The bug is not thought to be exploitable, but one can
never be absolutely certain.

The bug is fixed in Exim 4.21, which I have just released. Patches for
Exim 4.20 and Exim 3.36 are below. For other releases, these patches may
also work, or can be trivially adapted if the patch program has problems
with the line numbers. The actual code in question has hardly changed
for many years.

Philip 

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.




----------------- Patch for Exim 4.20 ----------------- 

*** exim-4.20/src/smtp_in.c Mon May 12 14:39:22 2003
--- smtp_in.c     Wed Aug 13 14:26:01 2003
***************
*** 1967,1978 ****


      if (!check_helo(smtp_data))
        {
-       uschar *s;
        smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
-       if (*smtp_data == 0) Ustrcpy(smtp_data, "(no argument given)");
-       s = string_printing(smtp_data);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
!         "invalid argument(s): %s", hello, host_and_ident(FALSE), s);
        break;
        }


--- 1967,1977 ---- 

      if (!check_helo(smtp_data))
        {
        smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
!         "invalid argument(s): %s", hello, host_and_ident(FALSE),
!         (*smtp_data == 0)? US"(no argument given)" :
!                            string_printing(smtp_data));
        break;
        }


----------------------------------------------------------------



----------------- Patch for Exim 3.36 ----------------- 


*** exim-3.36/src/smtp_in.c Thu Apr  4 13:56:20 2002
--- smtp_in.c    Thu Aug 14 09:09:33 2003
***************
*** 2021,2033 ****


      if (!check_helo(smtp_data))
        {
!       char *s;
!       smtp_printf("501 syntactically invalid %s argument(s)\r\n", hello);
!       if (*smtp_data == 0) strcpy(smtp_data, "(no argument given)");
!       s = string_printing(smtp_data);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
          "invalid argument(s): %s", hello,
!         (sender_fullhost == NULL)? "local process" : sender_fullhost, s);
        break;
        }


--- 2021,2032 ---- 

      if (!check_helo(smtp_data))
        {
!       smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
        log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
          "invalid argument(s): %s", hello,
!         (sender_fullhost == NULL)? "local process" : sender_fullhost,
!         (*smtp_data == 0)? "(no argument given)" :
!                            string_printing(smtp_data));
        break;
        }


----------------------------------------------------------------





This message was posted to the following mailing lists:
Exim-announce
Mailing List Info | Nearby Messages		<-[Exim] Exim 4.21 released[Exim-Announce] Re: [Exim] Exim 4.21 released->
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Exim 4.21 released[Exim] calling log_write() in transport->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)