The "spam" ACL condition code contained a sscanf() call with a %s conversion
specification without a maximum field width, thereby enbling a rogue spamd
server to cause a buffer overflow. While nobody in their right mind would
setup Exim to query an untrusted spamd server, an attacker that gains access
to a server running spamd could potentially exploit this vulnerability to run
arbitrary code as the Exim user.
This was reported on Bugtraq by "calcite@???" (see
http://www.securityfocus.com/archive/1/468530/30/0). Since the fix is trivial
I've already checked it in (see
http://www.exim.org/viewvc/exim/exim-src/src/spam.c?r1=1.13&r2=1.14).
--
Magnus Holmgren holmgren@???
(No Cc of list mail needed, thanks)
"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans