exim uses its own SSL_CIPHER_get_id() which replaces libssl's version
with one that will break once we make SSL_CIPHER opaque.
seems fine to Renaud Allard (maintainer)
Fixes many issues reported (with fixes) last year by Qualys, details will be
available later at https://www.qualys.com/2021/05/04/21nails/21nails.txt
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary PID file creation
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()
Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
"There is a heap-based buffer overflow in string_vformat (string.c).
The currently known exploit uses a extraordinary long EHLO string to
crash the Exim process that is receiving the message. While at this
mode of operation Exim already dropped its privileges, other paths to
reach the vulnerable code may exist."
switch build configuration from a modified static copy of a file from
exim distribution in files/ to copying and patching the actual file from
the distribution, this was badly out of sync with upstream. done by me
based on Renaud's partial update.
"Using a handcrafted message, remote code execution seems to be possible"
thanks to whichever of the distributions that was under embargo and
released early, as this means that the fix was made available sooner
than it would have otherwise been.
and CVE-2017-16944, and other fixes.
Alternative workaround for these two CVEs: disable the SMTP CHUNKING extension
by adding "chunking_advertise_hosts =" to the main configuration section (empty
right-hand-side).
https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.htmlhttps://bugs.exim.org/show_bug.cgi?id=2199
There is also another issue which is at least a DoS,
https://bugs.exim.org/show_bug.cgi?id=2201 that is *not* patched yet.
The workaround below would help both cases.
From upstream:
"With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:
chunking_advertise_hosts =
That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic. "
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely explaoitable. CVE-2016-9963.
whoever decided to have an embargo period ending on 25 December: this was
not a particularly good idea
"Any user who can start an instance of Exim (and this is normally *any* user)
can gain root privileges. If you do not use 'perl_startup' you *should* be
safe." CVE-2016-1531
a new libmysqlclient non-blocking API which utilizes co-routines. The X86
specific GCC ASM co-routine support hid the fact that there was an issue.
The only fallback code so far is POSIX user contexts which OpenBSD does not
support.
Input from and Ok sthen@ jasper@
