[exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog NewSt…

Pàgina inicial
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
A: exim-cvs
Assumpte: [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog NewStuff exim/exim-src/src host.c
ph10 2004/12/29 10:16:53 GMT

  Modified files:
    exim-doc/doc-txt     ChangeLog NewStuff 
    exim-src/src         host.c 
  Log:
  The host_aton() buffer overflow: (1) Put a check in host_aton() itself;
  (2) noted that the exploit via dnsdb/ptr lookup was already fortuitously
  fixed by a previous change.


  Revision  Changes    Path
  1.58      +10 -2     exim/exim-doc/doc-txt/ChangeLog
  1.24      +3 -3      exim/exim-doc/doc-txt/NewStuff
  1.4       +7 -1      exim/exim-src/src/host.c


  Index: ChangeLog
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
  retrieving revision 1.57
  retrieving revision 1.58
  diff -u -r1.57 -r1.58
  --- ChangeLog    22 Dec 2004 12:05:45 -0000    1.57
  +++ ChangeLog    29 Dec 2004 10:16:52 -0000    1.58
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.57 2004/12/22 12:05:45 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.58 2004/12/29 10:16:52 ph10 Exp $


Change log file for Exim from version 4.21
-------------------------------------------
@@ -236,8 +236,8 @@

   55. Some experimental protocols are using DNS PTR records for new purposes. The
       keys for these records are domain names, not reversed IP addresses. The
  -    dnsdb lookup now tests whether it's key is an IP address. If not, it leaves
  -    it alone. Component reversal etc. now happens only for IP addresses.
  +    dnsdb PTR lookup now tests whether its key is an IP address. If not, it
  +    leaves it alone. Component reversal etc. now happens only for IP addresses.


56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP.

  @@ -252,6 +252,14 @@
         (1) $smtp_active_hostname is now available as a variable.
         (2) The default for smtp_banner uses $smtp_active_hostname instead
             of $primary_hostname.
  +
  +60. The host_aton() function is supposed to be passed a string that is known
  +    to be a valid IP address. However, in the case of IPv6 addresses, it was
  +    not checking this. This is a hostage to fortune. Exim now panics and dies
  +    if the condition is not met. A case was found where this could be provoked
  +    from a dnsdb lookup; fortuitously, this particular loophole had already
  +    been fixed by change 4.50/55 above. If there are any other similar
  +    loopholes, the new check should stop them being exploited.



Exim version 4.43

  Index: NewStuff
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
  retrieving revision 1.23
  retrieving revision 1.24
  diff -u -r1.23 -r1.24
  --- NewStuff    22 Dec 2004 12:05:45 -0000    1.23
  +++ NewStuff    29 Dec 2004 10:16:52 -0000    1.24
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.23 2004/12/22 12:05:45 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.24 2004/12/29 10:16:52 ph10 Exp $


   New Features in Exim
   --------------------
  @@ -234,9 +234,9 @@
   19. The Exiscan patch is now merged into the main source. See src/EDITME for
       parameters for the build.


  -20. If the key for a dnsdb lookup is not an IP address, it is used verbatim,
  -    without component reversal and without the addition of in-addr.arpa or
  -    ip6.arpa.
  +20. If the key for a dnsdb PTR lookup is not an IP address, it is used
  +    verbatim, without component reversal and without the addition of
  +    in-addr.arpa or ip6.arpa.


21. Two changes related to the smtp_active_hostname option:


  Index: host.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/host.c,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- host.c    18 Nov 2004 11:17:33 -0000    1.3
  +++ host.c    29 Dec 2004 10:16:53 -0000    1.4
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/host.c,v 1.3 2004/11/18 11:17:33 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/host.c,v 1.4 2004/12/29 10:16:53 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -754,12 +754,18 @@


     if (*p == ':') p++;


- /* Split the address into components separated by colons. */
+ /* Split the address into components separated by colons. The input address
+ is supposed to be checked for syntax. There was a case where this was
+ overlooked; to guard against that happening again, check here and crash if
+ there is a violation. */

     while (*p != 0)
       {
       int len = Ustrcspn(p, ":");
       if (len == 0) nulloffset = ci;
  +    if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, 
  +      "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
  +      address);  
       component[ci++] = p;
       p += len;
       if (*p == ':') p++;