summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-txt/ChangeLog9
-rw-r--r--src/src/spam.c6
2 files changed, 11 insertions, 4 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 157433630..427270499 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.507 2007/05/11 08:50:42 tom Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.508 2007/05/14 18:56:25 magnus Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -28,6 +28,13 @@ PH/02 When an IPv6 address is converted to a string for single-key lookup
TK/01 Change PRVS address formatting scheme to reflect latests BATV draft
version.
+MH/01 The "spam" ACL condition code contained a sscanf() call with a %s
+ conversion specification without a maximum field width, thereby enabling
+ a rogue spamd server to cause a buffer overflow. While nobody in their
+ right mind would setup Exim to query an untrusted spamd server, an
+ attacker that gains access to a server running spamd could potentially
+ exploit this vulnerability to run arbitrary code as the Exim user.
+
Exim version 4.67
-----------------
diff --git a/src/src/spam.c b/src/src/spam.c
index 700200605..99c6d0c5a 100644
--- a/src/src/spam.c
+++ b/src/src/spam.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/spam.c,v 1.13 2006/09/05 14:05:43 ph10 Exp $ */
+/* $Cambridge: exim/src/src/spam.c,v 1.14 2007/05/14 18:56:25 magnus Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -316,11 +316,11 @@ again:
(void)close(spamd_sock);
/* dig in the spamd output and put the report in a multiline header, if requested */
- if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
+ if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n",
spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {
/* try to fall back to pre-2.50 spamd output */
- if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
+ if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n",
spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) {
log_write(0, LOG_MAIN|LOG_PANIC,
"spam acl condition: cannot parse spamd output");