------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1510
Summary: Alleged out of bounds read in filter
Product: Exim
Version: 4.83
Platform: x86-64
OS/Version: Linux
Status: NEW
Severity: security
Priority: medium
Component: Filters
AssignedTo: nigel@???
ReportedBy: clouds@???
CC: exim-dev@???
To whom it may concern;
I apologize for communicating to bugreports but I am unable to find
Exim's public-facing vulnerability communication mechanism.
It looks like there is a out of bound read within Exim - 4.83 (as
pulled from
http://ftp.univie.ac.at/applications/exim/exim/exim4/exim-4.83.tar.gz
)
Within filter.c - line 39, union argtypes args[1] is declared. Which results
in argtypes args having an allocated size of 8 bytes.
So further along, within filter.c - line 2335, interpret_commands(), args
points far beyond the the allocated 8 bytes. IE it is set to 96 bytes.
I have confirmed the out of bounds read in Valgrind and static analysis
tools. So it looks and smells plausible. Exploitability? Not entirely
certain.
You can find additional information @
http://cwe.mitre.org/data/definitions/125.html and
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/cpp/out_of_bounds_read.html
.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
