[exim-cvs] CVE-2020-28015+28021: New-line injection into spo…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] CVE-2020-28015+28021: New-line injection into spool header file
Gitweb: https://git.exim.org/exim.git/commitdiff/b4d476116397d395fb9b424e1e4387736865190c
Commit:     b4d476116397d395fb9b424e1e4387736865190c
Parent:     c82e60b402bd17620e57a0774d27b39d7ea6eb09
Author:     Qualys Security Advisory <qsa@???>
AuthorDate: Sun Feb 21 21:26:53 2021 -0800
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:51 2021 +0200


    CVE-2020-28015+28021: New-line injection into spool header file


    (cherry picked from commit 31b1a42d0bd29cb05f85e56d3343b13bef20a2bd)
    (cherry picked from commit fcddccd650178ceeec3655c6c40f420164a8706e)
---
 src/src/spool_out.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)


diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index bbc798f..8531112 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -105,6 +105,18 @@ return fd;



+static const uschar *
+zap_newlines(const uschar *s)
+{
+uschar *z, *p;
+
+if (Ustrchr(s, '\n') == NULL) return s;
+
+p = z = string_copy(s);
+while ((p = Ustrchr(p, '\n')) != NULL) *p++ = ' ';
+return z;
+}
+
static void
spool_var_write(FILE * fp, const uschar * name, const uschar * val)
{
@@ -223,7 +235,7 @@ if (body_zerocount > 0) fprintf(fp, "-body_zerocount %d\n", body_zerocount);
if (authenticated_id)
spool_var_write(fp, US"auth_id", authenticated_id);
if (authenticated_sender)
- spool_var_write(fp, US"auth_sender", authenticated_sender);
+ spool_var_write(fp, US"auth_sender", zap_newlines(authenticated_sender));

if (f.allow_unqualified_recipient) fprintf(fp, "-allow_unqualified_recipient\n");
if (f.allow_unqualified_sender) fprintf(fp, "-allow_unqualified_sender\n");
@@ -296,19 +308,20 @@ fprintf(fp, "%d\n", recipients_count);
for (int i = 0; i < recipients_count; i++)
{
recipient_item *r = recipients_list + i;
+ const uschar *address = zap_newlines(r->address);

/* DEBUG(D_deliver) debug_printf("DSN: Flags: 0x%x\n", r->dsn_flags); */

   if (r->pno < 0 && !r->errors_to && r->dsn_flags == 0)
-    fprintf(fp, "%s\n", r->address);
+    fprintf(fp, "%s\n", address);
   else
     {
-    uschar * errors_to = r->errors_to ? r->errors_to : US"";
+    const uschar *errors_to = r->errors_to ? zap_newlines(r->errors_to) : CUS"";
     /* for DSN SUPPORT extend exim 4 spool in a compatible way by
     adding new values upfront and add flag 0x02 */
-    uschar * orcpt = r->orcpt ? r->orcpt : US"";
+    const uschar *orcpt = r->orcpt ? zap_newlines(r->orcpt) : CUS"";


-    fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt),
+    fprintf(fp, "%s %s %d,%d %s %d,%d#3\n", address, orcpt, Ustrlen(orcpt),
       r->dsn_flags, errors_to, Ustrlen(errors_to), r->pno);
     }