Re: [exim] [exim-dev] PCRE vunerability and Exim ?

Top Page
Delete this message
Reply to this message
Author: Jan Srzednicki
Date:  
To: Dr Andrew C Aitchison
CC: exim-users, exim-dev
Subject: Re: [exim] [exim-dev] PCRE vunerability and Exim ?
On Wed, Nov 07, 2007 at 08:41:00AM +0000, Dr Andrew C Aitchison wrote:
>
> [ Sorry for spamming exim-dev but I believe that the
>    PCRE maintainer lurks there and not on exim-users  :-]

[..]
> exim-4.68 includes pcre 7.2, which is presumably vunerable.
>
> I suspect that within exim pcre does not parse user-supplied
> expressions, so this is not a major vunerability, but is anyone
> in a position to confirm this, or do we need to release an updated
> version of exim ?


Well, that depends on site's setup. Exim can put user-supplied data into
the regex value (there's a string expansion target "rxquote" for that),
so I can imagine there are quite many of potentially vulnerable systems
out there.

-- 
  Jan Srzednicki  ::  http://wrzask.pl/
  "Remember, remember, the fifth of November"
                                     -- V for Vendetta