SECURITY fix for Exim CVE-2012-5671 - Remote code execution with DKIM decoding

Workaround: "You are not vulnerable if <...> you put this at the start of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt: warn control = dkim_disable_verify" This is backported from the diff between exim 4.80 and 4.80.1 (not updating fully to 4.80.1 yet as this small diff is safer to commit) same diff rpointel@
2012-10-26 08:50:01 +00:00 · 2012-10-26 08:50:01 +00:00 · bb687e1b39
commit bb687e1b39
parent e66033b4a3
3 changed files with 29 additions and 2 deletions
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.89 2012/04/30 13:08:18 espie Exp $
+# $OpenBSD: Makefile,v 1.90 2012/10/26 08:50:01 sthen Exp $

 CATEGORIES =		mail
 COMMENT-main =		flexible mail transfer agent
 COMMENT-eximon =	X11 monitor tool for Exim MTA
 VERSION =		4.77
-REVISION =		1
+REVISION =		2
 DISTNAME =		exim-${VERSION}
 PKGNAME-main =		exim-${VERSION}
 FULLPKGNAME-eximon =	exim-eximon-${VERSION}
--- a/mail/exim/patches/patch-src_dkim_c
+++ b/mail/exim/patches/patch-src_dkim_c
@ -0,0 +1,13 @@
+$OpenBSD: patch-src_dkim_c,v 1.1 2012/10/26 08:50:01 sthen Exp $
+--- src/dkim.c.orig	Mon Oct 10 06:18:13 2011
+++ src/dkim.c	Fri Oct 26 09:39:14 2012
+@@ -42,6 +42,9 @@ int dkim_exim_query_dns_txt(char *name, char *answer) 
+                "%.*s", (int)len, (char *)((rr->data)+rr_offset));
+       rr_offset+=len;
+       answer_offset+=len;
+      if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) {
+        return PDKIM_FAIL;
+      }
+     }
+   }
+   else return PDKIM_FAIL;
--- a/mail/exim/patches/patch-src_pdkim_pdkim_h
+++ b/mail/exim/patches/patch-src_pdkim_pdkim_h
@ -0,0 +1,14 @@
+$OpenBSD: patch-src_pdkim_pdkim_h,v 1.1 2012/10/26 08:50:01 sthen Exp $
+--- src/pdkim/pdkim.h.orig	Mon Oct 10 06:18:13 2011
+++ src/pdkim/pdkim.h	Fri Oct 26 09:39:14 2012
+@@ -27,8 +27,8 @@
+ 
+ /* -------------------------------------------------------------------------- */
+ /* Length of the preallocated buffer for the "answer" from the dns/txt
+-   callback function. */
+-#define PDKIM_DNS_TXT_MAX_RECLEN    4096
+   callback function. This should match the maximum RDLENGTH from DNS. */
+#define PDKIM_DNS_TXT_MAX_RECLEN    (1 << 16)
+ 
+ /* -------------------------------------------------------------------------- */
+ /* Function success / error codes */