Re: [exim-dev] PCRE vunerability and Exim ?

Top Page
Delete this message
Reply to this message
Author: Daniel Tiefnig
Date:  
To: exim-dev
Subject: Re: [exim-dev] PCRE vunerability and Exim ?
Nigel Metheringham wrote:
> I'll work on that as I can, but if other people could test the
> current CVS copy - and even better push it through the test suite and
> report back, that would be very useful.


Hej,

I gave it a try. I don't have time to debug things at the moment, so I
just list what I have found. If anyone feels like fixing things and
needs some further information and investigation, please just contact me
via the list or PM.

Attention, lots of debug output ahead.


Here's how i ran the testsuite:
--------------------------------------------------------------------
$ ./runtest
Exim tester 4.68 (23-Aug-07)
You need to have sudo access to root to run these tests. Checking ...
Test for sudo OK
Exim binary found in ./../exim-snapshot/build-Linux-x86_64/exim
--------------------------------------------------------------------
Exim version 4.68 #2 built 14-Nov-2007 14:50:06
Support for: iconv() Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
--------------------------------------------------------------------
The spamc command failed: assume SpamAssassin (spamd) is not running
Program caller is dtiefnig, whose group is dtiefnig
Home directory is /home/dtiefnig
You need to be in the Exim group to run these tests. Checking ... OK
IPv4 address is 10.3.0.14
IPv6 address is <no IPv6 address found>
Hostname is orion

*** Host name is not fully qualified: this may cause problems ***

Exim user is Debian-exim (100)
Exim group is Debian-exim (102)
The Exim user needs access to the test suite directory. Checking ... OK

Test range is 1 to 8999
Omitting tests in 1000-Basic-ipv6 (missing support IPv6)
Omitting tests in 2000-GnuTLS (missing support GnuTLS)
Omitting tests in 2100-OpenSSL (missing support OpenSSL)
Omitting tests in 2200-dnsdb (missing lookup dnsdb)
Omitting tests in 2250-dnsdb-ipv6 (missing support IPv6)
Omitting tests in 2400-cdb (missing lookup cdb)
Omitting tests in 2500-dsearch (missing lookup dsearch)
Omitting tests in 2600-SQLite (missing lookup sqlite)
Omitting tests in 3000-Perl (missing support Perl)
Omitting tests in 3100-dlfunc (missing support Expand_dlfunc)
Omitting tests in 3200-testdb (missing lookup testdb)
Omitting tests in 3300-crypteq (missing support crypteq)
Omitting tests in 3400-plaintext (missing authenticator plaintext)
Omitting tests in 3450-plaintext-GnuTLS (missing support GnuTLS)
Omitting tests in 3460-plaintext-OpenSSL (missing support OpenSSL)
Omitting tests in 3500-CRAM-MD5 (missing authenticator cram_md5)
Omitting tests in 3600-SPA (missing authenticator spa)
Omitting tests in 3650-Dovecot (missing authenticator dovecot)
Omitting tests in 4000-scanning (missing running SpamAssassin)
Omitting tests in 4950-translate-ip (missing support translate_ip_address)
Omitting tests in 5050-mbx (missing transport appendfile/mbx)
Omitting tests in 5100-lmtp-transport (missing transport lmtp)
--------------------------------------------------------------------

The problems it came up with:

--------------------------------------------------------------------
Basic/0002 Common string expansions
--------------------------------------------------------------------
** Comparison of test-stderr-munged with \
                  stderr/0002 failed===============
Line 177 of "test-stderr-munged" does not match \
line 177 of "stderr/0002".
----------
   ;TESTSUITE/aux-fixed/0002.lsearch
----------
   :TESTSUITE/aux-fixed/0002.lsearch
===============
Line 222 of "test-stderr-munged" does not match \
line 222 of "stderr/0002".
----------
   ;TESTSUITE/aux-fixed/0002.lsearch
----------
   :TESTSUITE/aux-fixed/0002.lsearch
===============
2 differences found.
--------------------------------------------------------------------
Maybe needs just an update of stderr/0002.
Similar problems exist in following tests:
   Basic/0085
   Basic/0123
   Basic/0387
   Basic/0403
   Basic/0414
   Basic/0437
   Basic/0464
   Basic/0471
   Basic/0484



--------------------------------------------------------------------
Basic/0020 -bh and megahomed hosts
--------------------------------------------------------------------
Test 1
** Buffer overflow for file "stderr/0020"
** CMP abandoned
--------------------------------------------------------------------
That's interesting. Have to look into it.


--------------------------------------------------------------------
Basic/0036 Rewriting because of DNS lookup
--------------------------------------------------------------------
** Comparison of test-mainlog-munged with \
                  log/0036 failed===============
Lines 10-11 of "test-mainlog-munged" do not match \
  line 10 of "log/0036".
----------
1999-03-02 09:44:33 no IP address found for host the.local.host.name
(during SMTP connection from [ip4.ip4.ip4.ip4])
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@???
H=(myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss
id=E10HmaX-0005vi-00@???
----------
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@???
H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss
id=E10HmaX-0005vi-00@???
===============
1 difference found.
"test-mainlog-munged" contains 16 lines; "log/0036" contains 15 lines.
--------------------------------------------------------------------
** Comparison of test-mail-munged with \
                  mail/0036.abcd failed===============
Line 2 of "test-mail-munged" does not match line 2 of "mail/0036.abcd".
----------
Received: from [ip4.ip4.ip4.ip4] (helo=myhost.test.ex)
----------
Received: from the.local.host.name ([ip4.ip4.ip4.ip4] helo=myhost.test.ex)
===============
1 difference found.
--------------------------------------------------------------------
Same as with "mail/0036.abcd" for "mail/0036.userx".



--------------------------------------------------------------------
Basic/0190 hosts_randomize (smtp transport and manualroute)
--------------------------------------------------------------------
Server return code 99
Show server stdout, Continue, or Quit? [Q] s
Listening on port 1224 ...
Connection request from [10.3.0.14]
220 ESMTP
EHLO orion
250-OK
250 HELP
MAIL FROM:<dtiefnig@???>
250 Sender OK
RCPT TO:<userx@domain1>
250 Recipient OK
DATA
350 Send message
Received: from dtiefnig by orion with local (Exim x.yz)
         (envelope-from <dtiefnig@???>)
         id 1IsJAa-0003jz-Bu; Wed, 14 Nov 2007 15:24:44 +0100
Message-Id: <E1IsJAa-0003jz-Bu@orion>
From: CALLER_NAME <dtiefnig@???>
Date: Wed, 14 Nov 2007 15:24:44 +0100


Test message
.
250 OK
QUIT
250 OK
Expected EOF read from client
Listening on port 1224 ...
Connection request from [10.3.0.14]
220 ESMTP
EHLO orion
250-OK
250 HELP
MAIL FROM:<dtiefnig@???>
250 Sender OK
RCPT TO:<userx@domain2>
250 Recipient OK
DATA
350 Send message
Received: from dtiefnig by orion with local (Exim x.yz)
         (envelope-from <dtiefnig@???>)
         id 1IsJAa-0003jz-Bu; Wed, 14 Nov 2007 15:24:44 +0100
Message-Id: <E1IsJAa-0003jz-Bu@orion>
From: CALLER_NAME <dtiefnig@???>
Date: Wed, 14 Nov 2007 15:24:44 +0100


Test message
.
250 OK
QUIT
250 OK
Expected EOF read from client
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 ESMTP
EHLO orion
250-OK
250 HELP
MAIL FROM:<dtiefnig@???>
250 Sender OK
RCPT TO:<userx@domain3>
250 Recipient OK
DATA
350 Send message
Received: from dtiefnig by orion with local (Exim x.yz)
         (envelope-from <dtiefnig@???>)
         id 1IsJAa-0003jz-Bu; Wed, 14 Nov 2007 15:24:44 +0100
Message-Id: <E1IsJAa-0003jz-Bu@orion>
From: CALLER_NAME <dtiefnig@???>
Date: Wed, 14 Nov 2007 15:24:44 +0100


Test message
.
250 OK
QUIT
250 OK
End of script
Listening on port 1224 ...
Server timed out
--------------------------------------------------------------------
** Command 7 ("exim", starting at line 93)
** Return code 1 (expected 0)
show stdErr, show stdOut, Continue (without file comparison), \
or Quit? [Q] e

show stdErr, show stdOut, Continue (without file comparison), \
or Quit? [Q] o
x@x
router = others, transport = smtp2
host 224.0.0.3 [224.0.0.3]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.1 [224.0.0.1]
x@y
router = others, transport = smtp2
host 224.0.0.1 [224.0.0.1]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.3 [224.0.0.3]
x@z
router = others, transport = smtp2
host 224.0.0.3 [224.0.0.3]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.1 [224.0.0.1]
x@batch
router = batched, transport = smtp2
host 224.0.0.3 [224.0.0.3]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.1 [224.0.0.1]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.7 [224.0.0.7]
y@batch
router = batched, transport = smtp2
host 224.0.0.2 [224.0.0.2]
host 224.0.0.1 [224.0.0.1]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.7 [224.0.0.7]
z@batch
router = batched, transport = smtp2
host 224.0.0.1 [224.0.0.1]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.7 [224.0.0.7]
x@batch2
router = batched, transport = smtp2
host 224.0.0.1 [224.0.0.1]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.7 [224.0.0.7]
y@batch2
router = batched, transport = smtp2
host 224.0.0.1 [224.0.0.1]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.7 [224.0.0.7]
x@batch3
router = batched2, transport = smtp2
host 224.0.0.1 [224.0.0.1]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.7 [224.0.0.7]
y@batch3
router = batched2, transport = smtp2
host 224.0.0.1 [224.0.0.1]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.7 [224.0.0.7]
x@batch4
router = batched2, transport = smtp2
host 224.0.0.1 [224.0.0.1]
host 224.0.0.2 [224.0.0.2]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.7 [224.0.0.7]
y@batch4
router = batched2, transport = smtp2
host 224.0.0.2 [224.0.0.2]
host 224.0.0.1 [224.0.0.1]
host 224.0.0.3 [224.0.0.3]
host 224.0.0.5 [224.0.0.5]
host 224.0.0.6 [224.0.0.6]
host 224.0.0.4 [224.0.0.4]
host 224.0.0.7 [224.0.0.7]
userx@bdomain1 cannot be resolved at this time: lookup of host "orion"
failed in r3 router
userx@bdomain2 cannot be resolved at this time: lookup of host "orion"
failed in r3 router
userx@bdomain3 cannot be resolved at this time: lookup of host "orion"
failed in r3 router
--------------------------------------------------------------------
The hostname "orion" really can't be resolved via DNS, it's in
/etc/hosts, though. After the client stuff there is one additional
server output offered by the test-script, which I didn't include here.
(It's very similar to the first one above.)

--------------------------------------------------------------------
Basic/0345 quota_xxx in retry rules
--------------------------------------------------------------------
** Comparison of test-stdout-munged with \
                  stdout/0345 failed===============
Line 4 of "test-stdout-munged" does not match line 4 of "stdout/0345".
----------
-rw------- 1 CALLER CALLER 0 2002-05-10 00:00 TESTSUITE/test-mail/a
----------
-rw------- 1 CALLER CALLER 0 May 10 2002 TESTSUITE/test-mail/a
===============
1 difference found.
--------------------------------------------------------------------
Oh dear. :o)

| $ locale
| [...]
| LC_TIME="en_US.UTF-8"
| [...]


--------------------------------------------------------------------
Basic/0358 retrying address errors (not first address)
--------------------------------------------------------------------
** Comparison of test-stdout-munged with \
                  stdout/0358 failed===============
Lines 2-9 of "test-stdout-munged" do not match \
lines 2-9 of "stdout/0358".
----------
   R:usery@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<usery@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
first failed = time last try = time2 next try = time2 + 1
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
first failed = time last try = time2 next try = time2 + 1
+++++++++++++++++++++++++++
   R:usery@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<usery@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
first failed = time last try = time2 next try = time2 + 2
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
----------
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
first failed = time last try = time2 next try = time2 + 1
   R:usery@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<usery@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
first failed = time last try = time2 next try = time2 + 1
+++++++++++++++++++++++++++
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
first failed = time last try = time2 next try = time2 + 2
   R:usery@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<usery@???>: host 127.0.0.1 [127.0.0.1]: 451
Temporary error
===============
1 difference found.
--------------------------------------------------------------------
Line order changed. Timing problem, or error in stdout/0358?


--------------------------------------------------------------------
Basic/0373 ${readsocket (Unix domain and IPv4)
--------------------------------------------------------------------
** Comparison of test-stdout-munged with \
                  stdout/0373 failed===============
Line 11 of "test-stdout-munged" does not match line 11 of "stdout/0373".
----------

> 7 >>sock error<<

----------
> 7 >><<

===============
1 difference found.
--------------------------------------------------------------------
Hmmm. That's strange.


--------------------------------------------------------------------
Basic/0427 Sieve tests using -bf
--------------------------------------------------------------------
** Comparison of test-stdout-munged with \
                  stdout/0427 failed===============
Line 254 of "test-stdout-munged" does not match line 254 of "stdout/0427".
----------
Implicit keep
----------
No implicit keep
===============
1 difference found.
--------------------------------------------------------------------
Uh? :o)



--------------------------------------------------------------------
Basic/0548 recipient and host defer interactions
--------------------------------------------------------------------
** Comparison of test-rejectlog-munged with \
                  rejectlog/0548 failed===============
 From line 3 of "test-rejectlog-munged" and
      line 3 of "rejectlog/0548" the files are different.
----------
1999-03-02 09:44:33 H=(the.local.host.name) [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <userx@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
1999-03-02 09:44:33 H=(the.local.host.name) [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <userx@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
1999-03-02 09:44:33 H=(the.local.host.name) [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <usery@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
1999-03-02 09:44:33 H=(the.local.host.name) [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <usery@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
----------
1999-03-02 09:44:33 H=the.local.host.name [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <userx@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
1999-03-02 09:44:33 H=the.local.host.name [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <userx@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
1999-03-02 09:44:33 H=the.local.host.name [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <usery@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
1999-03-02 09:44:33 H=the.local.host.name [ip4.ip4.ip4.ip4]
F=<CALLER@???> temporarily rejected RCPT <usery@???>: Recipient
deferred
1999-03-02 09:44:33 H=[127.0.0.1] temporarily rejected connection in
"connect" ACL: host deferred
===============
1 difference found.
--------------------------------------------------------------------
** Comparison of test-stdout-munged with \
                  stdout/0548 failed===============
 From line 2 of "test-stdout-munged" and \
      line 2 of "stdout/0548" the files are different.
----------
   T:thishost.test.ex:127.0.0.1:1225 0 65 SMTP error from remote mail
server after initial connection: host thishost.test.ex [127.0.0.1]: 451
host deferred
first failed = time last try = time2 next try = time2 + 1
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host ipv4.ipv4.ipv4.ipv4
[ipv4.ipv4.ipv4.ipv4]: 451 Recipient deferred
first failed = time last try = time2 next try = time2 + 1
+++++++++++++++++++++++++++
   T:thishost.test.ex:127.0.0.1:1225 0 65 SMTP error from remote mail
server after initial connection: host thishost.test.ex [127.0.0.1]: 451
host deferred
first failed = time last try = time2 next try = time2 + 1
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host ipv4.ipv4.ipv4.ipv4
[ipv4.ipv4.ipv4.ipv4]: 451 Recipient deferred
first failed = time last try = time2 next try = time2 + 5 *
+++++++++++++++++++++++++++
   T:thishost.test.ex:127.0.0.1:1225 0 65 SMTP error from remote mail
server after initial connection: host thishost.test.ex [127.0.0.1]: 451
host deferred
first failed = time last try = time2 next try = time2 + 1
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host ipv4.ipv4.ipv4.ipv4
[ipv4.ipv4.ipv4.ipv4]: 451 Recipient deferred
first failed = time last try = time2 next try = time2 + 5 *
----------
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host ipv4.ipv4.ipv4.ipv4
[ipv4.ipv4.ipv4.ipv4]: 451 Recipient deferred
first failed = time last try = time2 next try = time2 + 1
   T:thishost.test.ex:127.0.0.1:1225 0 65 SMTP error from remote mail
server after initial connection: host thishost.test.ex [127.0.0.1]: 451
host deferred
first failed = time last try = time2 next try = time2 + 1
+++++++++++++++++++++++++++
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host ipv4.ipv4.ipv4.ipv4
[ipv4.ipv4.ipv4.ipv4]: 451 Recipient deferred
first failed = time last try = time2 next try = time2 + 5 *
   T:thishost.test.ex:127.0.0.1:1225 0 65 SMTP error from remote mail
server after initial connection: host thishost.test.ex [127.0.0.1]: 451
host deferred
first failed = time last try = time2 next try = time2 + 1
+++++++++++++++++++++++++++
   R:userx@???:<CALLER@???> -44 13121 SMTP error from remote mail
server after RCPT TO:<userx@???>: host ipv4.ipv4.ipv4.ipv4
[ipv4.ipv4.ipv4.ipv4]: 451 Recipient deferred
first failed = time last try = time2 next try = time2 + 5 *
   T:thishost.test.ex:127.0.0.1:1225 0 65 SMTP error from remote mail
server after initial connection: host thishost.test.ex [127.0.0.1]: 451
host deferred
first failed = time last try = time2 next try = time2 + 1
===============
1 difference found.
--------------------------------------------------------------------
Logfile syntax change in rejectlog? Same in mainlog. Lineorder changed
in STDOUT.



--------------------------------------------------------------------
maildir/5005 maildirsize for quota handling
--------------------------------------------------------------------
** Comparison of test-stderr-munged with
                  stderr/5005 failed===============
Line 456 of "test-stderr-munged" does not match \
line 456 of "stderr/5005".
----------
check_dir_size: dir=TESTSUITE/test-mail/userx/cur sum=0 count=0
----------
check_dir_size: dir=TESTSUITE/test-mail/userx/cur sum=0 count=dd
===============
1 difference found.
--------------------------------------------------------------------
Hmm, test-script problem?



That's it already. :o)

lg & hth,
daniel