Re: [exim] [exim-dev] PCRE vunerability and Exim ?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMMichael Haardt at <-
MNigel Metheringham at ->
Delete this message
Reply to this message
Author: Jan Srzednicki
Date:  
To: Dr Andrew C Aitchison
CC: exim-users, exim-dev
Subject: Re: [exim] [exim-dev] PCRE vunerability and Exim ?
On Wed, Nov 07, 2007 at 08:41:00AM +0000, Dr Andrew C Aitchison wrote:
> 
> [ Sorry for spamming exim-dev but I believe that the
>    PCRE maintainer lurks there and not on exim-users  :-]
[..]
> exim-4.68 includes pcre 7.2, which is presumably vunerable.
>
> I suspect that within exim pcre does not parse user-supplied
> expressions, so this is not a major vunerability, but is anyone
> in a position to confirm this, or do we need to release an updated
> version of exim ?

Well, that depends on site's setup. Exim can put user-supplied data into
the regex value (there's a string expansion target "rxquote" for that),
so I can imagine there are quite many of potentially vulnerable systems
out there. 

-- 
  Jan Srzednicki  ::  http://wrzask.pl/
  "Remember, remember, the fifth of November"
                                     -- V for Vendetta



This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 627] /var/run/exim4 directory not create so pid file not created[exim-dev] [Bug 628] New: PCRE package is outdated and has known security issues->
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Mail spamRe: [exim] Load Balancing (2) Exim servers->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)