Torsten Luettgert wrote:
>> - Fix: only feed files called "winmail.dat" to the TNEF
>> decoder. It seems it likes to crash on some arbitrary
>> files (Which is a bug in itself, but I don't feel like
>> debugging the mess which is tnef.c and tnef.h. And
>> I don't feel like writing my own TNEF support either.).
>
>
> So that means that I'm vulnerable to server crashes by evil
> folks sending me carefully crafted attachments called
> 'winmail.dat'?
Yes. Although only the exim child process handling that particular
connection would die (yes, over and over again). I have currently no
idea if that bug is "exploitable" in any way. The new default config in
-16 does not use "demime" any more, also meaning that is does not unpack
TNEF by default. With the MIME ACL, you can feed individual files to
external decompressors. There is a commandline tnef unpacker available
somewhere.
I am not comfortable with the TNEF support in general. The code has been
lifted straight out of a Microsoft SDK, with some modifications, first
by Paul L. Daniels and then by me. It is the only code in the exiscan
patch not written from scratch by me.
Conclusion: If you are paranoid, use the new MIME ACL instead of
"demime". :)
regards,
/tom
