[exim-cvs] Docs: CVE note

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] Docs: CVE note
Gitweb: https://git.exim.org/exim.git/commitdiff/c56ed04fb25cb24e21eb2c1d02069482b1a8f458
Commit:     c56ed04fb25cb24e21eb2c1d02069482b1a8f458
Parent:     582f61444fa806694c2caae7c156830dbf8531d7
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Dec 29 16:11:02 2023 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri Dec 29 16:11:02 2023 +0000


    Docs: CVE note


    Cherry-picked from: 5a8fc0799314
---
 doc/doc-txt/cve-2023-51766 | 69 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)


diff --git a/doc/doc-txt/cve-2023-51766 b/doc/doc-txt/cve-2023-51766
new file mode 100644
index 000000000..d066d8714
--- /dev/null
+++ b/doc/doc-txt/cve-2023-51766
@@ -0,0 +1,69 @@
+CVE ID:     CVE-2023-51766
+Date:       2016-12-15
+Credits:    https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+Version(s): all up to 4.97 inclusive
+Issue:      Given a buggy relay, Exim can be induced to accept a second message embedded
+            as part of the body of a first message
+
+Conditions
+==========
+
+If *all* the following conditions are met
+
+    Runtime options
+    ---------------
+
+    * Exim offers PIPELINING on incoming connections
+
+    * Exim offers CHUNKING on incoming connections
+
+    Operation
+    ---------
+
+    * DATA (as opposed to BDAT) is used for a message reception
+
+    * The relay host sends to the Exim MTA message data including
+      one of "LF . LF" or "CR LF . LF" or "LF . CR LF".
+
+    * Exim interprets the sequence as signalling the end of data for
+      the SMTP DATA command, and hence a first message.
+
+    * Exim interprets further input which the relay had as message body
+      data, as SMTP commands and data. This could include a MAIL, RCPT,
+      BDAT (etc) sequence, resulting in a further message acceptance.
+
+Impact
+======
+
+One or more messages can be accepted by Exim that have not been
+properly validated by the buggy relay.
+
+Fix
+===
+
+Install a fixed Exim version:
+
+    4.98 (once available)
+    4.97.1
+
+If you can't install one of the above versions, ask your package
+maintainer for a version containing the backported fix. On request and
+depending on our resources we will support you in backporting the fix.
+(Please note, that Exim project officially doesn't support versions
+prior the current stable version.)
+
+
+Workaround
+==========
+
+  Disable CHUNKING advertisement for incoming connections.
+
+  An attempt to "smuggle" a DATA command will trip a syncronisation
+  check.
+
+*or*
+
+  Disable PIPELINING advertisement for incoming connections.
+
+  The "smuggled" MAIL FROM command will then trip a syncronisation
+  check.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/