Viktor Dukhovni via Exim-users wrote on 16.11.2023 1:58:
> On Wed, Nov 15, 2023 at 07:00:20PM +0000, Andrew C Aitchison via Exim-users wrote:
>> On Wed, 15 Nov 2023, Victor Ustugov via Exim-users wrote:
>>
>>> Hello
>>>
>>> This is a real case.
>>>
>>> Let's resolve the TXT record of the perrigo.com domain.
>>>
>>> # pkg info -E exim
>>> exim-4.96.2
>>>
>>> # echo '${lookup dnsdb{>\n; defer_never,txt=perrigo.com}}' | exim -be |
>>> grep v=spf1
>>> v=spf1 include:spf-00157e01.pphosted.com
>>> include:spf-00157e03.pphosted.com include:spf.protection.outlook.com
>>> include:spf.natchcloud.com include:spf.messagelabs.com
>>> include:spf.mailjet.com a:smtp5.silae.fr include:_spf-dc8.sapsf.co#
>>> include:_spf-dc4.sapsf.com ip4:70.42.227.151/32 ip4:70.42.227.152/32
>>> ip4:65.221.8.29/32 ip4:65.221.12.128/2 ip4:65.221.12.148/32
>>> ip4:198.11.114.29/32 ~all
>>
>> git bisect finds that
>> commit f6b1f8e7d642f82d830a71b78699a4349e0158e1
>> Date: Tue Oct 10 23:03:28 2023 +0100
>>
>> Harden dnsdb against crafted DNS responses. Bug 3033
>>
>> (cherry picked from commit 8787c8994f07c23c3664d76926e02f07314d699d)
>> is to blame.
>>
>> [ I note that the '#' in include:_spf-dc8.sapsf.co# is actually 0x9c. ]
>
> That "9c" is the length of the second DNS character-string in the TXT
> record. A TXT record is a non-empty list of <character-string>, in
> which each string is preceded by a one byte length (0–255).
>
> $ dig +short -t txt perrigo.com | grep 'spf1'
> "v=spf1 include:spf-00157e01.pphosted.com include:spf-00157e03.pphosted.com include:spf.protection.outlook.com include:spf.natchcloud.com include:spf.messagelabs.com include:spf.mailjet.com a:smtp5.silae.fr include:_spf-dc8.sapsf.com" " include:_spf-dc4.sapsf.com ip4:70.42.227.151/32 ip4:70.42.227.152/32 ip4:65.221.8.29/32 ip4:65.221.12.128/32 ip4:65.221.12.148/32 ip4:198.11.114.29/32 ~all"
>
> $ set -- "v=spf1 include:spf-00157e01.pphosted.com include:spf-00157e03.pphosted.com include:spf.protection.outlook.com include:spf.natchcloud.com include:spf.messagelabs.com include:spf.mailjet.com a:smtp5.silae.fr include:_spf-dc8.sapsf.com" " include:_spf-dc4.sapsf.com ip4:70.42.227.151/32 ip4:70.42.227.152/32 ip4:65.221.8.29/32 ip4:65.221.12.128/32 ip4:65.221.12.148/32 ip4:198.11.114.29/32 ~all"
>
> $ printf '%s' "$2" | wc -c
> 156
>
> $ printf "%02x\n" $(printf '%s' "$2" | wc -c)
> 9c
>
> The (new) code that is processing the TXT record is failing to properly
> handle multi-element TXT records. Concatenation of the list elements
> need to happen after removing the fragment length bytes.
dnsdb is failing to properly handle even single-element TXT record:
# host -t txt exim.org
exim.org descriptive text "v=spf1 a ip4:37.221.193.62
ip6:2a03:4000:8:637::2 a:hh.schlittermann.de mx ?all"
exim.org descriptive text "cumin"
exim 4.95:
# echo '${lookup dnsdb{>\n; txt=exim.org}}' | exim -be
> cumin
v=spf1 a ip4:37.221.193.62 ip6:2a03:4000:8:637::2 a:hh.schlittermann.de
mx ?all
>
exim 4.97:
# echo '${lookup dnsdb{>\n; txt=exim.org}}' | exim -be
> cumi
v=spf1 a ip4:37.221.193.62 ip6:2a03:4000:8:637::2 a:hh.schlittermann.de
mx ?al
>
The last character in each record is missing.
--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key:
https://victor.corvax.kiev.ua/corvax.asc
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
