Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely expl…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim
On Tue, Jan 27, 2015 at 05:33:45PM +0000, Tony Finch wrote:

> All I know at the moment comes from the vulnerability announcement that
> Qualys posted this afternoon. Quote:
>
> The Exim mail server is exploitable remotely if configured to perform
> extra security checks on the HELO and EHLO commands ("helo_verify_hosts"
> or "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed
> a reliable and fully-functional exploit that bypasses all existing
> protections (ASLR, PIE, NX) on 32-bit and 64-bit machines.
>
> http://www.openwall.com/lists/oss-security/2015/01/27/9


FWIW, Postfix never uses gethostbyname() on systems that have
getaddrinfo() (build configuration enables IPv6 API support).

On systems with no IPv6 API Postfix only calls gethostbyname()
after first dealing with literal address forms via inet_pton().
In other words, literal IPv4 addresses accepted by inet_pton(),
are never passed to gethostbyname().

Perhaps a similar approach will work in Exim, for users who are in
position to remediate Exim more quickly than glibc.

-- 
    Viktor.