[exim-dev] Low-risk buffer overflow in spam.c

Top Page
Delete this message
Reply to this message
Author: Magnus Holmgren
Date:  
To: exim-dev
Subject: [exim-dev] Low-risk buffer overflow in spam.c
The "spam" ACL condition code contained a sscanf() call with a %s conversion
specification without a maximum field width, thereby enbling a rogue spamd
server to cause a buffer overflow. While nobody in their right mind would
setup Exim to query an untrusted spamd server, an attacker that gains access
to a server running spamd could potentially exploit this vulnerability to run
arbitrary code as the Exim user.

This was reported on Bugtraq by "calcite@???" (see
http://www.securityfocus.com/archive/1/468530/30/0). Since the fix is trivial
I've already checked it in (see
http://www.exim.org/viewvc/exim/exim-src/src/spam.c?r1=1.13&r2=1.14).

-- 
Magnus Holmgren        holmgren@???
                       (No Cc of list mail needed, thanks)


"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans