[exim-dev] [Bug 1510] New: Alleged out of bounds read in fil…

Góra strony
Delete this message
Reply to this message
Autor: Clouds
Data:  
Dla: exim-dev
Temat: [exim-dev] [Bug 1510] New: Alleged out of bounds read in filter
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1510
           Summary: Alleged out of bounds read in filter
           Product: Exim
           Version: 4.83
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Filters
        AssignedTo: nigel@???
        ReportedBy: clouds@???
                CC: exim-dev@???



To whom it may concern;

I apologize for communicating to bugreports but I am unable to find
Exim's public-facing vulnerability communication mechanism.

It looks like there is a out of bound read within Exim - 4.83 (as
pulled from
http://ftp.univie.ac.at/applications/exim/exim/exim4/exim-4.83.tar.gz
)

Within filter.c - line 39, union argtypes args[1] is declared. Which results
in argtypes args having an allocated size of 8 bytes.
So further along, within filter.c - line 2335, interpret_commands(), args
points far beyond the the allocated 8 bytes. IE it is set to 96 bytes.

I have confirmed the out of bounds read in Valgrind and static analysis
tools. So it looks and smells plausible. Exploitability? Not entirely
certain.


You can find additional information @
http://cwe.mitre.org/data/definitions/125.html and
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/cpp/out_of_bounds_read.html
.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email