The "spam" ACL condition code contained a sscanf() call with a %s

conversion specification without a maximum field width, thereby
enabling a rogue spamd server to cause a buffer overflow. While nobody
in their right mind would setup Exim to query an untrusted spamd
server, an attacker that gains access to a server running spamd could
potentially exploit this vulnerability to run arbitrary code as the
Exim user.

1 files changed, 3 insertions, 3 deletions

diff --git a/src/src/spam.c b/src/src/spam.c
index 700200605..99c6d0c5a 100644
--- a/src/src/spam.c
+++ b/src/src/spam.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/spam.c,v 1.13 2006/09/05 14:05:43 ph10 Exp $ */
+/* $Cambridge: exim/src/src/spam.c,v 1.14 2007/05/14 18:56:25 magnus Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -316,11 +316,11 @@ again:
   (void)close(spamd_sock);
 
   /* dig in the spamd output and put the report in a multiline header, if requested */
-  if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
+  if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
              spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {
 
     /* try to fall back to pre-2.50 spamd output */
-    if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
+    if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
                spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {
       log_write(0, LOG_MAIN|LOG_PANIC,
          "spam acl condition: cannot parse spamd output");