On Mon, 22 Aug 2005, Tony Finch wrote:
> On Mon, 22 Aug 2005, Jakob Hirsch wrote:
> >
> > According to the alert, only "Applications that parse untrusted regular
> > expressions may be vulnerable." Exim does not do that by default, AFAIK,
> > but there may be a few setups allowing that, e.g. user specified filters
> > with regex.
>
> This can be a problem in setups where Exim runs filters at SMTP time while
> it is running as the exim user, which might allow escalation to root
> privilege. That's the only really dangerous scenario I can think of.
The bug was fixed in PCRE 6.2, which is in the current Exim snapshot.
The current PCRE release is 6.3, but there are no code changes from 6.2
(just changes to Makefiles, etc). The PCRE ChangeLog for 6.2 reads:
1. There was no test for integer overflow of quantifier values. A
construction such as {1111111111111111} would give undefined
results. What is worse, if a minimum quantifier for a parenthesized
subpattern overflowed and became negative, the calculation of the
memory size went wrong. This could have led to memory overwriting.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book