Re: [exim] for europeans only: EU GDPR and mitigation of CV…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Heiko Schlittermann
Date:  
À: Jay Sekora, exim-users
CC: exim-users
Sujet: Re: [exim] for europeans only: EU GDPR and mitigation of CVE-2019-15846
Heiko Schlittermann <hs@???> (Fr 06 Sep 2019 22:40:19 CEST):
> #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
>   { "tls_sni",             vtype_stringptr,   &tls_in.sni },    /* mind the alphabetical order! */
> #endif

>
> But nevertheless, your Exim is vulnerable. Unfortunnatly the ACL trick
> doesn't work. You can do "binary patching".


Alternativly, can't you build the package for your system on your own?
Install the build dependencies and build it, should be quite simple on
Ubuntu. The patch itself is a oneliner.

diff --git a/src/src/string.c b/src/src/string.c
index 5e48b445c..c6549bf93 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -224,6 +224,8 @@ interpreted in strings.
 Arguments:
   pp       points a pointer to the initiating "\" in the string;
            the pointer gets updated to point to the final character
+           If the backslash is the last character in the string, it
+           is not interpreted.
 Returns:   the value of the character escape
 */


@@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789abcdef";
int ch;
const uschar *p = *pp;
ch = *(++p);
+if (ch == '\0') return **pp;
if (isdigit(ch) && ch != '8' && ch != '9')
{
ch -= '0';
@@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count);
g->ptr = p + count;
return g;
}

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -