https://bugs.exim.org/show_bug.cgi?id=2269
Bug ID: 2269
Summary: protect against large number of DKIM sig headers
Product: Exim
Version: 4.91
Hardware: x86
OS: All
Status: NEW
Severity: bug
Priority: medium
Component: DKIM
Assignee: tom@???
Reporter: jgh146exb@???
CC: exim-dev@???
A message observed on the LKML had one thousand signature headers (all alike).
Although the verify implementation would have only evaluated the body-hash
once (they all had the same l= value) it would have checked all the signatures
separately. We should protect against excessive resource consumption via this
attack route. Limit the number of sig considered to, say, 20?
On expanding ${authres } for this message, the over-large check on expansions
tripped.
--
You are receiving this mail because:
You are on the CC list for the bug.
