[exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim…

Top Page
Delete this message
Reply to this message
Author: Magnus Holmgren
Date:  
To: exim-cvs
Subject: [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/exim-src/src spam.c
magnus 2007/05/14 19:56:26 BST

  Modified files:
    exim-doc/doc-txt     ChangeLog 
    exim-src/src         spam.c 
  Log:
  The "spam" ACL condition code contained a sscanf() call with a %s
  conversion specification without a maximum field width, thereby
  enabling a rogue spamd server to cause a buffer overflow. While nobody
  in their right mind would setup Exim to query an untrusted spamd
  server, an attacker that gains access to a server running spamd could
  potentially exploit this vulnerability to run arbitrary code as the
  Exim user.


  Revision  Changes    Path
  1.508     +7 -0      exim/exim-doc/doc-txt/ChangeLog
  1.14      +2 -2      exim/exim-src/src/spam.c


  Index: ChangeLog
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
  retrieving revision 1.507
  retrieving revision 1.508
  diff -u -r1.507 -r1.508
  --- ChangeLog    11 May 2007 08:50:42 -0000    1.507
  +++ ChangeLog    14 May 2007 18:56:25 -0000    1.508
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.507 2007/05/11 08:50:42 tom Exp $
  +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.508 2007/05/14 18:56:25 magnus Exp $


Change log file for Exim from version 4.21
-------------------------------------------
@@ -27,6 +27,13 @@

   TK/01 Change PRVS address formatting scheme to reflect latests BATV draft
         version.
  +
  +MH/01 The "spam" ACL condition code contained a sscanf() call with a %s
  +      conversion specification without a maximum field width, thereby enabling
  +      a rogue spamd server to cause a buffer overflow. While nobody in their
  +      right mind would setup Exim to query an untrusted spamd server, an
  +      attacker that gains access to a server running spamd could potentially
  +      exploit this vulnerability to run arbitrary code as the Exim user.



Exim version 4.67

  Index: spam.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/spam.c,v
  retrieving revision 1.13
  retrieving revision 1.14
  diff -u -r1.13 -r1.14
  --- spam.c    5 Sep 2006 14:05:43 -0000    1.13
  +++ spam.c    14 May 2007 18:56:25 -0000    1.14
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/spam.c,v 1.13 2006/09/05 14:05:43 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/spam.c,v 1.14 2007/05/14 18:56:25 magnus Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -316,11 +316,11 @@
     (void)close(spamd_sock);


     /* dig in the spamd output and put the report in a multiline header, if requested */
  -  if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
  +  if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
                spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {


       /* try to fall back to pre-2.50 spamd output */
  -    if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
  +    if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
                  spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {
         log_write(0, LOG_MAIN|LOG_PANIC,
            "spam acl condition: cannot parse spamd output");