Folks,
During the RC process for Exim 4.75, we were notified of a possible
issue in Exim, as part of a general "much software has this problem"
alert, by CERT. The issue relates to STARTTLS and command injection,
as described by Wietse Venema at:
http://article.gmane.org/gmane.mail.postfix.user/218905
As soon as we were made aware of the possible issue we investigated, and
confirmed that Exim is *NOT* vulnerable.
Exim uses two different buffers for I/O for the two different security
contexts, pre-TLS and within-TLS. The pre-TLS I/O buffer is never used
after TLS is established, as the function pointers used to perform I/O
are swapped out for the TLS variants. This applies for both OpenSSL and
GnuTLS variants of TLS support within Exim.
In addition, even if Exim did not use separate buffers, the default
configuration enforces protocol synchronisation which would also catch
this.
We will probably add some diagnostics and belt-and-braces sanitisation
to a future release, to report when someone might be trying such an
attack.
-Phil
