[exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim…

Góra strony
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
Dla: exim-cvs
Temat: [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/exim-src/src/auths auth-spa.c auth-spa.h spa.c
ph10 2004/12/29 10:55:58 GMT

  Modified files:
    exim-doc/doc-txt     ChangeLog 
    exim-src/src/auths   auth-spa.c auth-spa.h spa.c 
  Log:
  Fix buffer overflow vulnerability in spa_base64_to_bits() function.


  Revision  Changes    Path
  1.59      +14 -3     exim/exim-doc/doc-txt/ChangeLog
  1.2       +10 -1     exim/exim-src/src/auths/auth-spa.c
  1.2       +4 -1      exim/exim-src/src/auths/auth-spa.h
  1.3       +3 -3      exim/exim-src/src/auths/spa.c


  Index: ChangeLog
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
  retrieving revision 1.58
  retrieving revision 1.59
  diff -u -r1.58 -r1.59
  --- ChangeLog    29 Dec 2004 10:16:52 -0000    1.58
  +++ ChangeLog    29 Dec 2004 10:55:58 -0000    1.59
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.58 2004/12/29 10:16:52 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.59 2004/12/29 10:55:58 ph10 Exp $


   Change log file for Exim from version 4.21
   -------------------------------------------
  @@ -257,9 +257,20 @@
       to be a valid IP address. However, in the case of IPv6 addresses, it was
       not checking this. This is a hostage to fortune. Exim now panics and dies
       if the condition is not met. A case was found where this could be provoked
  -    from a dnsdb lookup; fortuitously, this particular loophole had already
  -    been fixed by change 4.50/55 above. If there are any other similar
  -    loopholes, the new check should stop them being exploited.
  +    from a dnsdb PTR lookup with an IPv6 address that had more than 8
  +    components; fortuitously, this particular loophole had already been fixed
  +    by change 4.50/55 above.
  +
  +    If there are any other similar loopholes, the new check in host_aton()
  +    itself should stop them being exploited. The report I received stated that
  +    data on the command line could provoke the exploit when Exim was running as
  +    exim, but did not say which command line option was involved. All I could
  +    find was the use of -be with a bad dnsdb PTR lookup, and in that case it is
  +    running as the user.
  +
  +61. There was a buffer overflow vulnerability in the SPA authentication code
  +    (which came originally from the Samba project). I have added a test to the
  +    spa_base64_to_bits() function which I hope fixes it.



Exim version 4.43

  Index: auth-spa.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/auth-spa.c,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- auth-spa.c    7 Oct 2004 13:10:00 -0000    1.1
  +++ auth-spa.c    29 Dec 2004 10:55:58 -0000    1.2
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/auth-spa.c,v 1.1 2004/10/07 13:10:00 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/auth-spa.c,v 1.2 2004/12/29 10:55:58 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -406,8 +406,11 @@
     *out = '\0';
   }


  +
  +/* The outlength parameter was added by PH, December 2004 */
  +
   int
  -spa_base64_to_bits (char *out, const char *in)
  +spa_base64_to_bits (char *out, int outlength, const char *in)
   /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
   {
     int len = 0;
  @@ -420,6 +423,8 @@


     do
       {
  +      if (len >= outlength)                   /* Added by PH */
  +        return (-1);                          /* Added by PH */
         digit1 = in[0];
         if (DECODE64 (digit1) == BAD)
          return (-1);
  @@ -437,11 +442,15 @@
         ++len;
         if (digit3 != '=')
          {
  +         if (len >= outlength)                   /* Added by PH */
  +           return (-1);                          /* Added by PH */
            *out++ =
              ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
            ++len;
            if (digit4 != '=')
              {
  +             if (len >= outlength)                   /* Added by PH */
  +               return (-1);                          /* Added by PH */
                *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
                ++len;
              }


  Index: auth-spa.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/auth-spa.h,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- auth-spa.h    7 Oct 2004 13:10:00 -0000    1.1
  +++ auth-spa.h    29 Dec 2004 10:55:58 -0000    1.2
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/auth-spa.h,v 1.1 2004/10/07 13:10:00 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/auth-spa.h,v 1.2 2004/12/29 10:55:58 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -11,6 +11,9 @@
    * All the code used here was torn by Marc Prud'hommeaux out of the
    * Samba project (by Andrew Tridgell, Jeremy Allison, and others).
    */
  + 
  +/* December 2004: The spa_base64_to_bits() function has no length checking in 
  +it. I have added a check. PH */ 


/* It seems that some systems have existing but different definitions of some
of the following types. I received a complaint about "int16" causing
@@ -77,7 +80,7 @@
#define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex)

   void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
  -int spa_base64_to_bits(char *, const char *);
  +int spa_base64_to_bits(char *, int, const char *);
   void spa_build_auth_response (SPAAuthChallenge *challenge,
          SPAAuthResponse *response, char *user, char *password);
   void spa_build_auth_request (SPAAuthRequest *request, char *user,


  Index: spa.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/auths/spa.c,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- spa.c    20 Dec 2004 14:57:05 -0000    1.2
  +++ spa.c    29 Dec 2004 10:55:58 -0000    1.3
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/auths/spa.c,v 1.2 2004/12/20 14:57:05 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/auths/spa.c,v 1.3 2004/12/29 10:55:58 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -135,7 +135,7 @@
     return FAIL;
     }


  -if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0)
  +if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0)
     {
     DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
     "request: %s\n", data);
  @@ -155,7 +155,7 @@
     }


   /* dump client response */
  -if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0)
  +if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0)
     {
     DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
     "response: %s\n", data);
  @@ -324,7 +324,7 @@
          /* convert the challenge into the challenge struct */
          DSPA("\n\n%s authenticator: challenge (%s)\n\n",
                  ablock->name, buffer + 4);
  -       spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4));
  +       spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4));


          spa_build_auth_response (&challenge, &response,
                  CS username, CS password);