Marco Gaiarin via Exim-users <exim-users@???> (Fr 06 Sep 2019 23:42:03 CEST):
> Mandi! Heiko Schlittermann via Exim-users
> In chel di` si favelave...
>
> > Add - as part of the mail ACL (the ACL referenced by the main config
> > option "acl_smtp_mail"):
> > deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
> > deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
>
> For very old exim, eg 4.80, there's no _in_ and _out_ variables, so:
>
> deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_sni}}}}
> deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_peerdn}}}}
>
And, if your Exim is linked against GnuTLS there is no $tls_sni variable
at all. But - to my knowledge - the exploitable string is written to the
-H spool file anyway (and read back).
So you can't protect yourself simply by using the above ACL statements.
Best option: install 4.92.2
2nd best option: use the source of your installed version
and apply the patch (it is a single line, check
the commit 2600301ba6dbac5c9d640c87007a07ee6dcea1f4
and look for file src/src/string.c
3rd best option: do binary patching and replace the string "-tls_sni"
by e.g. "-foo_bar" (not sure about the impact
though, untested)
Here is the patch, the important part is the line "+if (ch == '\0') ..."
diff --git a/src/src/string.c b/src/src/string.c
index 5e48b445c..c6549bf93 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -224,6 +224,8 @@ interpreted in strings.
Arguments:
pp points a pointer to the initiating "\" in the string;
the pointer gets updated to point to the final character
+ If the backslash is the last character in the string, it
+ is not interpreted.
Returns: the value of the character escape
*/
@@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789abcdef";
int ch;
const uschar *p = *pp;
ch = *(++p);
+if (ch == '\0') return **pp;
if (isdigit(ch) && ch != '8' && ch != '9')
{
ch -= '0';
@@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count);
g->ptr = p + count;
return g;
}
-
-
+
+
gstring *
string_cat(gstring *string, const uschar *s)
{
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
