Re: [exim] CVE-2019-10149: already vulnerable ?

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] CVE-2019-10149: already vulnerable ?
On 03/07/2019 20:02, Heiko Schlittermann via Exim-users wrote:
> Marc Haber via Exim-users <exim-users@???> (Mi 03 Jul 2019 18:17:24 CEST):
>> On Sun, 23 Jun 2019 20:02:33 +0100, Jeremy Harris via Exim-users
>> <exim-users@???> wrote:
>>>  deny  local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N
>>>        message = no mate

>>
>> This might be a really stupid question, but what exactly does that do?
>>
>> ^.*$ blocks local_parts containing a $
>> ^.\\x24 does the same?
>> but I'm stymied about the \\0.44 notation, what's that?
>
> From my POV ^.*$ matches *any* local_part, as $ is the string's end anchor, isn't it?.
> But I can't imagine that such mistake happens to Jeremy, so I assume, I'm missing the point here.


You're not missing the point at all; I made a foolish error.
That should have been ^.*\$ - to get any local_part containing
a dollar.

> \\x24 should match the literal \x24, which may be used to encode the
> dollar sign for the unintended local_part expansion in the vulnerable
> code.
>
> \\044 and \\44 may encode the dollar sign in base8 notation, with and
> w/o the leading zero. Both are collapsed into \\0?44


Yes. But (MH) note there is a question-mark there, not a period.

--
Cheers,
Jeremy