[exim] [hs@schlittermann.de: Re: CVE-2017-1000369 | Exim 4.8…

Top Page

Reply to this message
Author: Heiko Schlittermann
To: exim-users, exim-dev
Subject: [exim] [hs@schlittermann.de: Re: CVE-2017-1000369 | Exim 4.89+fixes]
Hello Exim Users and Exim Developers,

some of you may have noticed already CVE-2017-1000369. It is related
to a stack/heap clash. For more information see

As it is possible to abuse Exim as a tool to exploit this vulnerability
in the underlying system, Qualys asked us to do a small change in Exim.

We want to point out that is is *NOT* Exim, that is vulnerable. But Exim
can be used as a vector to exploit a vulnerable system.

(Technical detail: it was possible to leak memory by (repeated) use of
-p<protocol>. During normal operation this didn't matter, because this
option is used only once, and the forgotten memory gets freed by the OS
on exit of the short lived process.)

Yesterday, June 19th, 15.00UTC Qualys released the information to the
public. The distro packagers where informed in advance, so
distribution packages of Exim should be fixed already (in Debian Stretch
it is, for other distros I do not know.)

IF your distribution updated the packaged version of Exim
OR the underlying system

THEN you're safe already and can stop reading.

ELSE keep on reading.

For simplicity I just append the information I sent out to the distro
packagers some days ago:

----- Forwarded message from Heiko Schlittermann <hs@???> -----

Date: Sun, 18 Jun 2017 10:54:04 +0200
From: Heiko Schlittermann <hs@???>
To: Operating system distro security contacts <distros@???>
Subject: Re: CVE-2017-1000369 | Exim 4.89+fixes

Heiko Schlittermann <hs@???> (Do 15 Jun 2017 00:00:04 CEST):
> Hello packagers of Exim,

> We got CVE-2017-1000369 for a vulnerability that can be exploited
> through Exim. As Exim itself is not exploitable, and as we do not
> understand the fix as a security issue in Exim itself, we do not see a
> reason for a point release.
> We have a small patch already. As soon as possible I'll publish an
> exim-4_89+fixes branch. I'll put there some additional backported
> (from devel branch) minor security enhancements and send you an
> notification as soon as the +fixes branch is available.

As we are somewhat delayed with creating a new (point?) release, I'd
kindly ask you to include tis commit into your packaged versions of
Exim: 65e061b76867a9ea7aeeb535341b790b90ae6c21

There should be no impact for ordninary users of Exim. It prevents
the multiple use of '-p <protocol>' option for the command line
invocation. (There is probably no use case for doing so.) By this small
patch we can help improving the security of the underlying system.

This commit is part of the current, but not yet released master branch.
We'll prepare a new Exim version, or do a point release, including this
commit. Until this is done, please include this patch manually.

In case you do not have access to the Git repo, the patch is attached to
this message. It should apply cleanly.

Thank you for your understanding.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

commit 65e061b76867a9ea7aeeb535341b790b90ae6c21
Author: Heiko Schlittermann (HS12-RIPE) <hs@???>
Date: Wed May 31 23:08:56 2017 +0200

    Cleanup (prevent repeated use of -p/-oMr to avoid mem leak)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 06373ccd..7816bc26 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -4274,7 +4274,7 @@ or &%-bs%& is used. For &%-bh%&, the protocol is forced to one of the standard
SMTP protocol names (see the description of &$received_protocol$& in section
&<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by
one of those same names. For &%-bS%& (batched SMTP) however, the protocol can
-be set by &%-oMr%&.
+be set by &%-oMr%&. Repeated use of this option is not supported.

.vitem &%-oMs%&&~<&'host&~name'&>
.oindex "&%-oMs%&"
@@ -4374,6 +4374,7 @@ host name and its colon can be omitted when only the protocol is to be set.
Note the Exim already has two private options, &%-pd%& and &%-ps%&, that refer
to embedded Perl. It is therefore impossible to set a protocol value of &`d`&
or &`s`& using this option (but that does not seem a real limitation).
+Repeated use of this option is not supported.

.vitem &%-q%&
.oindex "&%-q%&"
diff --git a/src/src/exim.c b/src/src/exim.c
index 67583e58..88e11977 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++)

       /* -oMr: Received protocol */

-      else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
+      else if (Ustrcmp(argrest, "Mr") == 0)
+        if (received_protocol)
+          {
+          fprintf(stderr, "received_protocol is set already\n");
+          exit(EXIT_FAILURE);
+          }
+        else received_protocol = argv[++i];

       /* -oMs: Set sender host name */

@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++)

     if (*argrest != 0)
-      uschar *hn = Ustrchr(argrest, ':');
+      uschar *hn;
+      if (received_protocol)
+        {
+        fprintf(stderr, "received_protocol is set already\n");
+        exit(EXIT_FAILURE);
+        }
+      hn = Ustrchr(argrest, ':');
       if (hn == NULL)
         received_protocol = argrest;

----- End forwarded message -----