[exim] Exim 4.80 erratum: tls_sni + OpenSSL + fail

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: [exim] Exim 4.80 erratum: tls_sni + OpenSSL + fail
Folks,

Sorry about this, a coding error on my part.

If you build Exim to use OpenSSL and if you set the new tls_sni option
on the smtp transport, and you wish the expansion result to indicate "do
not send TLS Server Name Indication", then you need to ensure that the
expansion results in an empty string.

If the expansion results in a forced failure (explicit "fail" in the
expansion), then Exim 4.80 will segfault during delivery to the remote
host, freezing the mail in the queue. There is no exploitable attack
vector here: we simply call strlen(NULL). At worst, the queue will grow
with frozen messages.

Expansion failures which are not explicitly forced are unaffected.

The rewritten GnuTLS glue for Exim uses a more consistent style and so
I avoided writing this bug twice.

Good:
- ----------------------------8< cut here >8------------------------------
remote_smtp:
driver = smtp
tls_sni = ${extract{tls_sni}{$address_data}{$value}{}}

remote_smtp_even_better:
driver = smtp
tls_sni = ${extract{tls_sni}{$address_data}}
- ----------------------------8< cut here >8------------------------------

Broken:
- ----------------------------8< cut here >8------------------------------
remote_smtp:
driver = smtp
tls_sni = ${extract{tls_sni}{$address_data}{$value}fail}
- ----------------------------8< cut here >8------------------------------

If your configuration style has you using forced failure, then the
following patch should resolve the issue for you. It is relative to the
Exim 4.80 release:

http://git.exim.org/exim.git/patch/2c9a0e86055f1e86ca5cdde421f5f8c9a48b0194

(Do not try to use a patch from HEAD, there have already been some
significant changes since the 4.80 release)

Once more, my apologies for the inconvenience if this affects you.
- -Phil