Re: [exim] Exim 4.80.1 security release - details

On 2012-10-26 at 11:45 +0300, Marius Stan wrote:
> On 26.10.2012 11:35, Phil Pennock wrote:
> > During internal code review on Wednesday, I uncovered a remote code
> > execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
> > handling. This can be triggered by anyone who can send you email from a
> > domain for which they control the DNS, and gets them the Exim run-time
> > user.
> Hi Phil,
> If an existing exim instalation doesn't verify received DKIMs is it
> still vulnerable ?

Be careful: "verify DKIM on received mails" is *not* the same as "has
defined a DKIM ACL".

If Exim was built normally (without DISABLE_DKIM) then the DKIM logic is
present. Then, even if you don't define a DKIM ACL, Exim does
verification anyway for inbound mails, to set various needed variables.

*IF* you have:

warn control = dkim_disable_verify

at the start of an ACL which has been plumbed into acl_smtp_connect or
acl_smtp_rcpt, then you are safe.

If you do not explicitly set the dkim_disable_verify control, then you
are vulnerable.

Regards,
- -Phil