[exim-dev] [Bug 2526] New: Buffer overrun or unterminated NT…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2526] New: Buffer overrun or unterminated NTS in dkim_exim_verify_log_sig (sig->identity)
https://bugs.exim.org/show_bug.cgi?id=2526

            Bug ID: 2526
           Summary: Buffer overrun or unterminated NTS in
                    dkim_exim_verify_log_sig (sig->identity)
           Product: Exim
           Version: 4.89
          Hardware: x86
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: DKIM
          Assignee: tom@???
          Reporter: serg.brester@???
                CC: exim-dev@???


# exim --version
Exim version 4.89 #1 built 03-Sep-2019 18:01:38
# lsb_release -d
Description:    Debian GNU/Linux 9.12 (stretch)                                 



Log-excerpt (special chars are replaced):

2020-02-12 01:47:19 1j1gBT-0001BQ-LE DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x93\xd4\x0c\x84\xbd\x0f\xd2_o=\x19\xb2 [verification
succeeded]
2020-02-13 01:52:38 1j22kA-0002xV-7g DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com-\xbe\xaaN\xba_\x06y\xb8\xebS\x01 [verification
succeeded]
2020-02-14 01:52:56 1j2PE0-0004fp-Ov DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024 i=@testagent.example.com\xd3\x957J\xbf?
\x8c\xb5R\xe7\x12 [verification succeeded]
2020-02-16 01:50:28 1j388i-0007wX-Nz DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x99\xbcr\x0c\xe9\xcc\x12\x81\xa6\x1b\x90\xe6
[verification succeeded]
2020-02-17 02:32:07 1j3VGZ-00019x-0W DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x9dF\xado\xcdi.]$\xa8\xf4\xee [verification
succeeded]


It looks like "sig->identity" could have a BO or is not properly terminated (or
has a wrong length) at least if it gets logged, see:

https://github.com/Exim/exim/blob/1d717e1c110562fd6bf28478c79f180cafeba776/src/src/dkim.c#L206

Anyway the string "suffix" after identity (e. g.
"\x93\xd4\x0c\x84\xbd\x0f\xd2_o=\x19\xb2") does not look well to me.

I see that sporadically in exim-log for different e-mail addresses (my IDS
system notices occasionally that the encoding of log-file is not well-formed
UTF-8).

Unfortunately the mails are already removed, but if I'd get it again, I'll
provide the header of mail that caused it.

--
You are receiving this mail because:
You are on the CC list for the bug.