Re: [exim] ATTN: Re: CVE-2019-10149: already vulnerable ?

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] ATTN: Re: CVE-2019-10149: already vulnerable ?
On 24/06/2019 19:31, Andreas Metzler via Exim-users wrote:
> Cyborg via Exim-users <exim-users@???> wrote:
>> Am 23.06.19 um 21:02 schrieb Jeremy Harris via Exim-users:
>>>   deny  local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N
>>>         message = no mate
> [...]
>> Anyone who used this restricted chars patch:
> [...]
>> should update to this ruleset :
> [...]
>>           local_parts   = ^[.] : ^.*[\$@%!/|] : ^.*x24 : ^.*0.44

>
>> as there is a unexpected problem with jeremy's version, which will
>> reject any x24 in any part of the message.
> [...]
>
> Hello Marius,
>
> would you mind explaining this? There are many differences between
> these rules
>
> J ^.*$
> M ^[.]
>
> J version rejects everything, M matches a leading dot.


Oops. Needs a "\$" not a "$".

> So J [...] the later patterns
> should do the right thing but don't work for me.


Also noted by ITZ; seems there's a bug there.

--
Cheers,
Jeremy