Tom Kistner wrote:
> Torsten Luettgert wrote:
>
>
>>> - Fix: only feed files called "winmail.dat" to the TNEF
>>> decoder. It seems it likes to crash on some arbitrary
>>> files (Which is a bug in itself, but I don't feel like
>>> debugging the mess which is tnef.c and tnef.h.
It looks like tnef_limit is the first location past the end of the file. If
that's true, one possible cause of SIG11 is that
if (tsp > tnef_limit)
should be
if (tsp + 4 > tnef_limit)
in read_32() and
if (tsp + 2 > tnef_limit)
in read_16().
John
And
>>> I don't feel like writing my own TNEF support either.).
>>
>>
>>
>> So that means that I'm vulnerable to server crashes by evil
>> folks sending me carefully crafted attachments called
>> 'winmail.dat'?
>
>
> Yes. Although only the exim child process handling that particular
> connection would die (yes, over and over again). I have currently no
> idea if that bug is "exploitable" in any way. The new default config in
> -16 does not use "demime" any more, also meaning that is does not unpack
> TNEF by default. With the MIME ACL, you can feed individual files to
> external decompressors. There is a commandline tnef unpacker available
> somewhere.
>
> I am not comfortable with the TNEF support in general. The code has been
> lifted straight out of a Microsoft SDK, with some modifications, first
> by Paul L. Daniels and then by me. It is the only code in the exiscan
> patch not written from scratch by me.
>
> Conclusion: If you are paranoid, use the new MIME ACL instead of
> "demime". :)
>
> regards,
>
> /tom
>
>
>
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
>
>
>
