[exim-cvs] SECURITY: fix Qualys CVE-2020-SLCWD

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] SECURITY: fix Qualys CVE-2020-SLCWD
Gitweb: https://git.exim.org/exim.git/commitdiff/5dc522966ae58ac845dc280495af651c9858f152
Commit:     5dc522966ae58ac845dc280495af651c9858f152
Parent:     4938e65b323e0cbc06c7e0fd06575b7eb7780ee4
Author:     Phil Pennock <phil+git@???>
AuthorDate: Thu Oct 29 11:47:58 2020 -0400
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:24 2021 +0200


    SECURITY: fix Qualys CVE-2020-SLCWD


    (cherry picked from commit bf5f9d56fadf9be8d947f141d31f7e0e8fa63762)
    (cherry picked from commit 6d2cfb575c95c1b81597d6b9eb2904cd695d7e4a)
---
 doc/doc-txt/ChangeLog |  8 ++++----
 src/src/exim.c        |  6 ++++++
 src/src/macros.h      | 14 +++++++++-----
 3 files changed, 19 insertions(+), 9 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 4c6eb81..ba9cc1c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -263,12 +263,12 @@ PP/02 Bug 2643: Correct TLS DH constants.
       incorrect Diffie-Hellman constants in the Exim source.
       Reported by kylon94, code-gen tool fix by Simon Arlott.


-PP/03 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
-      better.  Reported by Qualys.
-
-PP/04 Impose security length checks on various command-line options.
+PP/03 Impose security length checks on various command-line options.
       Fixes CVE-2020-SPRSS reported by Qualys.


+PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
+      better.  Reported by Qualys.
+


Exim version 4.94
-----------------
diff --git a/src/src/exim.c b/src/src/exim.c
index 49f7e5f..1b7529c 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3870,7 +3870,13 @@ during readconf_main() some expansion takes place already. */

/* Store the initial cwd before we change directories. Can be NULL if the
dir has already been unlinked. */
+errno = 0;
initial_cwd = os_getcwd(NULL, 0);
+if (!initial_cwd && errno)
+ exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno));
+
+if (initial_cwd && (strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE))
+ exim_fail("exim: initial cwd is far too long (%d)\n", Ustrlen(CCS initial_cwd));

 /* checking:
     -be[m] expansion test        -
diff --git a/src/src/macros.h b/src/src/macros.h
index 72856a5..f8987d6 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -154,7 +154,9 @@ enough to hold all the headers from a normal kind of message. */


/* The initial size of a big buffer for use in various places. It gets put
into big_buffer_size and in some circumstances increased. It should be at least
-as long as the maximum path length. */
+as long as the maximum path length PLUS room for string additions.
+Let's go with "at least twice as large as maximum path length".
+*/

 #ifdef AUTH_HEIMDAL_GSSAPI
         /* RFC 4121 section 5.2, SHOULD support 64K input buffers */
@@ -163,10 +165,12 @@ as long as the maximum path length. */
 # define __BIG_BUFFER_SIZE 16384
 #endif


-#if defined PATH_MAX && PATH_MAX > __BIG_BUFFER_SIZE
-# define BIG_BUFFER_SIZE PATH_MAX
-#elif defined MAXPATHLEN && MAXPATHLEN > __BIG_BUFFER_SIZE
-# define BIG_BUFFER_SIZE MAXPATHLEN
+#ifndef PATH_MAX
+/* exim.h will have ensured this exists before including us. */
+# error headers confusion, PATH_MAX missing in macros.h
+#endif
+#if (PATH_MAX*2) > __BIG_BUFFER_SIZE
+# define BIG_BUFFER_SIZE (PATH_MAX*2)
#else
# define BIG_BUFFER_SIZE __BIG_BUFFER_SIZE
#endif