------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=894
Summary: Data after 4096 byte of comment appended to previous
expansion list
Product: Exim
Version: 4.69
Platform: All
OS/Version: All
Status: NEW
Severity: security
Priority: critical
Component: Lookups
AssignedTo: nigel@???
ReportedBy: strr-exim@???
CC: exim-dev@???
Created an attachment (id=328)
--> (
http://bugs.exim.org/attachment.cgi?id=328)
An aliases file demonstrating the bug
On our company mail server we had a simple aliases file based expansion
mechanism ... i.e.:
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
Some of the lines in the aliases file were longer than 4kB.
However they were commented out with a '#' at the front
It appears that in this situation characters after 4096 in the line are
appended to the preceding non-comment, non-whitespace line.
For example, install the attached aliases file as /etc/aliases and run:
$ exim -bt c
xsomeoneelse@???
<-- c@???
In this case 'c' should expand to just 'x', but the characters beyond 4096 in
the commented line are appended erroneously resulting in 'xsomeonelse'.
If the commented line contains complete, valid email addresses beyond the
4096th character then they will be incorrectly included in the expansion hence
the 'security' classification on this bug. In our situation this means an
expansion destined for four company-internal recipients ended up being sent to
rather a lot of unintended third parties.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email