A minor security problem has been found in Exim 3 and 4 (many thanks to
Nick Cleaton). The bug is not thought to be exploitable, but one can
never be absolutely certain.
The bug is fixed in Exim 4.21, which I have just released. Patches for
Exim 4.20 and Exim 3.36 are below. For other releases, these patches may
also work, or can be trivially adapted if the patch program has problems
with the line numbers. The actual code in question has hardly changed
for many years.
Philip
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
----------------- Patch for Exim 4.20 -----------------
*** exim-4.20/src/smtp_in.c Mon May 12 14:39:22 2003
--- smtp_in.c Wed Aug 13 14:26:01 2003
***************
*** 1967,1978 ****
if (!check_helo(smtp_data))
{
- uschar *s;
smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
- if (*smtp_data == 0) Ustrcpy(smtp_data, "(no argument given)");
- s = string_printing(smtp_data);
log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
! "invalid argument(s): %s", hello, host_and_ident(FALSE), s);
break;
}
--- 1967,1977 ----
if (!check_helo(smtp_data))
{
smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
! "invalid argument(s): %s", hello, host_and_ident(FALSE),
! (*smtp_data == 0)? US"(no argument given)" :
! string_printing(smtp_data));
break;
}
----------------------------------------------------------------
----------------- Patch for Exim 3.36 -----------------
*** exim-3.36/src/smtp_in.c Thu Apr 4 13:56:20 2002
--- smtp_in.c Thu Aug 14 09:09:33 2003
***************
*** 2021,2033 ****
if (!check_helo(smtp_data))
{
! char *s;
! smtp_printf("501 syntactically invalid %s argument(s)\r\n", hello);
! if (*smtp_data == 0) strcpy(smtp_data, "(no argument given)");
! s = string_printing(smtp_data);
log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
"invalid argument(s): %s", hello,
! (sender_fullhost == NULL)? "local process" : sender_fullhost, s);
break;
}
--- 2021,2032 ----
if (!check_helo(smtp_data))
{
! smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
"invalid argument(s): %s", hello,
! (sender_fullhost == NULL)? "local process" : sender_fullhost,
! (*smtp_data == 0)? "(no argument given)" :
! string_printing(smtp_data));
break;
}
----------------------------------------------------------------