magnus 2007/05/14 19:56:26 BST
Modified files:
exim-doc/doc-txt ChangeLog
exim-src/src spam.c
Log:
The "spam" ACL condition code contained a sscanf() call with a %s
conversion specification without a maximum field width, thereby
enabling a rogue spamd server to cause a buffer overflow. While nobody
in their right mind would setup Exim to query an untrusted spamd
server, an attacker that gains access to a server running spamd could
potentially exploit this vulnerability to run arbitrary code as the
Exim user.
Revision Changes Path
1.508 +7 -0 exim/exim-doc/doc-txt/ChangeLog
1.14 +2 -2 exim/exim-src/src/spam.c
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.507
retrieving revision 1.508
diff -u -r1.507 -r1.508
--- ChangeLog 11 May 2007 08:50:42 -0000 1.507
+++ ChangeLog 14 May 2007 18:56:25 -0000 1.508
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.507 2007/05/11 08:50:42 tom Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.508 2007/05/14 18:56:25 magnus Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -27,6 +27,13 @@
TK/01 Change PRVS address formatting scheme to reflect latests BATV draft
version.
+
+MH/01 The "spam" ACL condition code contained a sscanf() call with a %s
+ conversion specification without a maximum field width, thereby enabling
+ a rogue spamd server to cause a buffer overflow. While nobody in their
+ right mind would setup Exim to query an untrusted spamd server, an
+ attacker that gains access to a server running spamd could potentially
+ exploit this vulnerability to run arbitrary code as the Exim user.
Exim version 4.67
Index: spam.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/spam.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- spam.c 5 Sep 2006 14:05:43 -0000 1.13
+++ spam.c 14 May 2007 18:56:25 -0000 1.14
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/spam.c,v 1.13 2006/09/05 14:05:43 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/spam.c,v 1.14 2007/05/14 18:56:25 magnus Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -316,11 +316,11 @@
(void)close(spamd_sock);
/* dig in the spamd output and put the report in a multiline header, if requested */
- if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
+ if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {
/* try to fall back to pre-2.50 spamd output */
- if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
+ if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {
log_write(0, LOG_MAIN|LOG_PANIC,
"spam acl condition: cannot parse spamd output");
