summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-05-27CVE-2020-28014, CVE-2021-27216: PID file handlingHeiko Schlittermann (HS12-RIPE)
Arbitrary PID file creation, clobbering, and deletion. Patch provided by Qualys. (cherry picked from commit 974f32939a922512b27d9f0a8a1cb5dec60e7d37) (cherry picked from commit 43c6f0b83200b7082353c50187ef75de3704580a)
2021-05-27Add priv.c: reworked version of priv dropping codeHeiko Schlittermann (HS12-RIPE)
(cherry picked from commit 82b545236e6dc82b7af34528c532811bfc74ea19) (cherry picked from commit be31ef213f118abe5fc68732f5492b6b16d28b87)
2021-05-27CVE-2020-28008: Assorted attacks in Exim's spool directoryHeiko Schlittermann (HS12-RIPE)
We patch dbfn_open() by introducing two functions priv_drop_temp() and priv_restore() (inspired by OpenSSH's functions temporarily_use_uid() and restore_uid()), which temporarily drop and restore root privileges thanks to seteuid(). This goes against Exim's developers' wishes ("Exim (the project) doesn't trust seteuid to work reliably") but, to the best of our knowledge, seteuid() works everywhere and is the only way to securely fix dbfn_open(). (cherry picked from commit 18da59151dbafa89be61c63580bdb295db36e374) (cherry picked from commit b05dc3573f4cd476482374b0ac0393153d344338)
2021-05-27CVE-2020-28019: Failure to reset function pointer after BDAT errorJeremy Harris
Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy Harris's commits aa171254 and 9aceb5c2. (cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f) (cherry picked from commit 99d057fad97a2def9f000ebccda83e4008112819)
2021-05-27SECURITY: smtp_out: Leave a clean input buffer, even in case of read errorHeiko Schlittermann (HS12-RIPE)
Credits: Qualys 7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated when -1 is returned. This does not seem to have bad consequences, but is maybe not the intended behavior. (cherry picked from commit f7ac5a7d1e817bf60f161e7a1d40b65d66da607f) (cherry picked from commit 13f9998ebb937970d1d9d18f205a6e03e14105b4)
2021-05-27SECURITY: Avoid modification of constant dataHeiko Schlittermann (HS12-RIPE)
Credits: Qualys 6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called with a global orig_data and hence canon_data, and the following line can therefore modify data that should be constant: 773 canon_data->len = b->bodylength - b->signed_body_bytes; For example, the following proof of concept sets lineending.len to 0 (this should not be possible): (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25 (gdb) print lineending $1 = {data = 0x55e18035b2ad "\r\n", len = 2} (gdb) print &lineending.len $3 = (size_t *) 0x55e180385948 <lineending+8> (gdb) watch *(size_t *) 0x55e180385948 Hardware watchpoint 1: *(size_t *) 0x55e180385948 Old value = 2 New value = 0 (gdb) print lineending $5 = {data = 0x55e18035b2ad "\r\n", len = 0} (cherry picked from commit 9fce76f56459dde7489eb21ce1ff822e04e10f43) (cherry picked from commit 667fb25b8f0dc3fbac57bce4051e345555fa776a)
2021-05-27SECURITY: Avoid memory corruption in dkim handlingHeiko Schlittermann (HS12-RIPE)
Credits: Qualys 6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called with a global orig_data and hence canon_data, and the following line can therefore modify data that should be constant: 773 canon_data->len = b->bodylength - b->signed_body_bytes; For example, the following proof of concept sets lineending.len to 0 (this should not be possible): (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25 (gdb) print lineending $1 = {data = 0x55e18035b2ad "\r\n", len = 2} (gdb) print &lineending.len $3 = (size_t *) 0x55e180385948 <lineending+8> (gdb) watch *(size_t *) 0x55e180385948 Hardware watchpoint 1: *(size_t *) 0x55e180385948 Old value = 2 New value = 0 (gdb) print lineending $5 = {data = 0x55e18035b2ad "\r\n", len = 0} (cherry picked from commit ea850e27714ccda2090d781ebe89b410bc38c2c6) (cherry picked from commit 4e784efa28b25683c81a857b464777df593cabee)
2021-05-27SECURITY: Avoid decrement of dkim_collect_input if already at 0Heiko Schlittermann (HS12-RIPE)
Credits: Qualys 5/ receive_msg() calls dkim_exim_verify_finish(), which sets dkim_collect_input to 0 and calls pdkim_feed_finish(), which calls pdkim_header_complete(), which decreases dkim_collect_input to UINT_MAX, which reactivates the DKIM code. As a result, pdkim_feed() is called again (through receive_getc at the end of receive_msg()), but functions like pdkim_finish_bodyhash() and exim_sha_finish() have already been called (in pdkim_feed_finish()). This suggests a use-after-free. But it seems that a use-after-free would happen only with EVP_DigestFinal() (in exim_sha_finish()), which does not seem to be reachable via DKIM (no SHA3). But we checked OpenSSL only, not GnuTLS. Here is a proof of concept that triggers the bug (which came very close to a security vulnerability): (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'BDAT 42 LAST'; date >&2; sleep 30; printf 'not a valid header line\r\nDKIM-Signature:\r\nXXX'; sleep 30) | nc -n -v 192.168.56.102 25 (gdb) print &dkim_collect_input $2 = (unsigned int *) 0x55e180386d90 <dkim_collect_input> (gdb) watch *(unsigned int *) 0x55e180386d90 Hardware watchpoint 1: *(unsigned int *) 0x55e180386d90 Old value = 0 New value = 4294967295 #0 0x000055e18031f805 in pdkim_header_complete (ctx=ctx@entry=0x55e181b9e8e0) at pdkim.c:1006 #1 0x000055e18032106c in pdkim_feed_finish (ctx=0x55e181b9e8e0, return_signatures=0x55e180386d78 <dkim_signatures>, err=err@entry=0x7ffe443e1d00) at pdkim.c:1490 #2 0x000055e1802a3280 in dkim_exim_verify_finish () at dkim.c:328 #3 0x000055e1802c9d1d in receive_msg (extract_recip=extract_recip@entry=0) at receive.c:3409 (cherry picked from commit e3674091056ac05eb7ef1c504accce790c434bd7) (cherry picked from commit 8b39dd074e3ec70cbda70a52cef5b71ecbf69499)
2021-05-27SECURITY: Check overrun rcpt_count integerHeiko Schlittermann (HS12-RIPE)
Credits: Qualys 4/ In src/smtp_in.c: 4966 case RCPT_CMD: 4967 HAD(SCH_RCPT); 4968 rcpt_count++; .... 5123 if (rcpt_count > recipients_max && recipients_max > 0) In theory this recipients_max check can be bypassed, because the int rcpt_count can overflow (become negative). In practice this would either consume too much memory or generate too much network traffic, but maybe it should be fixed anyway. (cherry picked from commit 04139ca809fbe56d8fe9c55a77640ea9fa93b8f1) (cherry picked from commit db96ca55137d7684a9afdf9d118feed9116906b7)
2021-05-27SECURITY: Fix safeguard against upward traversal in msglog files.Heiko Schlittermann (HS12-RIPE)
Credits: Qualys 3/ In src/deliver.c: 333 static int 334 open_msglog_file(uschar *filename, int mode, uschar **error) 335 { 336 if (Ustrstr(filename, US"/../")) 337 log_write(0, LOG_MAIN|LOG_PANIC, 338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log the /../ attempt but will open the file anyway. (cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf) (cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976)
2021-05-27SECURITY: Don't miss the very last byte when reading long lines from -HHeiko Schlittermann (HS12-RIPE)
Credits: Qualys 2/ In src/spool_in.c: 462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1 463 && big_buffer[len-1] != '\n' 464 ) 465 { /* buffer not big enough for line; certs make this possible */ 466 uschar * buf; 467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR; 468 buf = store_get_perm(big_buffer_size *= 2, FALSE); 469 memcpy(buf, big_buffer, --len); The --len in memcpy() chops off a useful byte (we know for sure that big_buffer[len-1] is not a '\n' because we entered the while loop). (cherry picked from commit 58454ea01c2e817481770954edf09ad82f3cd417) (cherry picked from commit 2d9f1837bdd6c5946cb9cd997544eefc8cc14fc4)
2021-05-27SECURITY: off-by-one in smtp transport (read response)Heiko Schlittermann (HS12-RIPE)
Credits: Qualys 1/ In src/transports/smtp.c: 2281 int n = sizeof(sx->buffer); 2282 uschar * rsp = sx->buffer; 2283 2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2) 2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; } This should probably be either: rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1; or: rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; (not sure which) to avoid an off-by-one. (cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38) (cherry picked from commit 4045cb01a590ec480f45f80967cd9c59fe23a5d0)
2021-05-27Start documenting the things we changed incompatibly.Phil Pennock
(cherry picked from commit 8dad4da53bad2ed3b29fa6a3b9ef59bfec73dc0e) (cherry picked from commit 125f0d4afbc858cf514c29326a3016c2d9d7bdc1)
2021-05-27Inline four often-called new functionsPhil Pennock
The BDAT state switchers should happen so often during SMTP reception that a compiler hint to inline seems wise. The length filter checks happen on every start-up, which for Exim is often enough that I think an inline these is warranted too. (cherry picked from commit 6e3d0e3f1c8228ef19a3d1ba61f131cef3172ceb) (cherry picked from commit 6ca5fcba34070f4495a0188f16eb2e4d78f3430a)
2021-05-27Fixes for compilationJeremy Harris
(cherry picked from commit 85a90771a373aaaced64b92d7176a8a310490b9e) (cherry picked from commit da683a61556bbbebdffcbebf2668da58da59f898)
2021-05-27SECURITY: rework BDAT receive function handlingPhil Pennock
(cherry picked from commit dd1b9b753bb7c42df2b8f48d726b82928b67940b) (cherry picked from commit 96fb195ebc2eb6790e6ad6dde46d478aee62198d)
2021-05-27SECURITY: fix SMTP verb option parsingPhil Pennock
A boundary case in looking for an opening quote before the closing quote could walk off the front of the buffer. (cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8) (cherry picked from commit 467948de0c407bd2bbc2e84abbbf09f35b035538)
2021-05-27SECURITY: Avoid integer overflow on too many recipientsPhil Pennock
(cherry picked from commit 323ff55e67b44e95f9d3cfaba155e385aa33c4bd) (cherry picked from commit 3a54fcd1e303bf1cc49beca7ceac35d7448860a9)
2021-05-27SECURITY: default recipients_max to 50,000Phil Pennock
A default of "unlimited" can have unfortunate consequences when people start putting many millions of recipients on a message. (cherry picked from commit 1d7780722a66cea8da5fa4ae0775e85d185fbf7e) (cherry picked from commit a6e1f69d82adcfd3caab8f228d96750dfddc8f07)
2021-05-27SECURITY: a second negative store guardPhil Pennock
(cherry picked from commit 706864e934c70941ce7a327f97b7649a1e5f5556) (cherry picked from commit 9f06dcd6848052f2524658bf871c60a8d48c7dbe)
2021-05-27SECURITY: refuse too small store allocationsPhil Pennock
Negative sizes are definitely bad. Optimistically, I'm saying that zero is bad too. But perhaps we have something doing that, expecting to be able to grow. In which case we'll have to amend this. (cherry picked from commit 1c9afcec0043e2fb72607b2addb0613763705549) (cherry picked from commit 6f5d7e5af8eff688c36f81334e4f063689561963)
2021-05-27SECURITY: fix Qualys CVE-2020-PFPZAPhil Pennock
(cherry picked from commit 29d7a8c25f182c91d5d30f124f9e296dce5c018e) (cherry picked from commit 0a6a7a3fd8464bae9ce0cf889e8eeb0bf0bab756)
2021-05-27SECURITY: fix Qualys CVE-2020-PFPSNPhil Pennock
(cherry picked from commit 93b6044e1636404f3463f3e1113098742e295542) (cherry picked from commit 4e59a5d5c448e1fcdcbead268ffe6561adf0224d)
2021-05-27SECURITY: fix Qualys CVE-2020-SLCWDPhil Pennock
(cherry picked from commit bf5f9d56fadf9be8d947f141d31f7e0e8fa63762) (cherry picked from commit 6d2cfb575c95c1b81597d6b9eb2904cd695d7e4a)
2021-05-27SECURITY: pick up more argv length checksPhil Pennock
(cherry picked from commit f28a6a502c7973d8844d11d4b0990d4b0359fb3f) (cherry picked from commit 7a7136ba7f5c2db33c7e320ffd4675335c4557e5)
2021-05-27SECURITY: length limits on many cmdline optionsPhil Pennock
We'll also now abort upon, rather than silently truncate, a driver name (router, transport, ACL, etc) encountered in the config which is longer than the 64-char limit. (cherry picked from commit ff8bef9ae2370db4a7873fe2ce573a607fe6999f) (cherry picked from commit a8bd24b96c2027fd839f95a9e6b3282453ae288e)
2021-05-27Re-ran the conversion of all DH parametersPhil Pennock
I get different results now to those I got before. Now, using gen_pkcs3 linked against OpenSSL 1.1.1f-1ubuntu2 on Focal Fossa, I get the results below. The ffdhe2048 value now matches that at <https://ssl-config.mozilla.org/ffdhe2048.txt>. I ran the same code yesterday for just the ffdhe2048 item and got code which seemed to me then to match what was already in the C file. Something hinky is going on, perhaps with my sanity. (the commit IDs changee because of heavy rebasing (heiko)) (cherry picked from commit 76ed8115182e2daaadb437ec9655df8000796ec5) (cherry picked from commit 0aafa26a5d3d528e79476c91537c28936154fe04)
2021-05-27gen_pkcs3: Terminate string before calling BH_hex2bn()Simon Arlott
Signed-off-by: Phil Pennock <pdp@exim.org> (cherry picked from commit 1cf66e5872d517b620c308af634e4e26e3547f06) (cherry picked from commit 48d8c54ecf9493c709d4305850877b6062f285a7)
2021-05-27Default config: reject on too many bad RCPTPhil Pennock
An example exploit failed against my system, because I had this sanity guard in place; it's not a real security fix since a careful attacker could find enough valid recipients to hit that problem, but it highlights that this is a useful enough pattern that we should encourage its wider use. (cherry picked from commit 2a636a39fff29b7c3da1798767a510dfed982a62) (cherry picked from commit 346f96bad326893f9c1fa772a5b8ac35b1f8f7bd)
2021-05-27Handle SIGINT as we do with SIGTERMHeiko Schlittermann (HS12-RIPE)
(cherry picked from commit cdc5c672e1c309294626cd5ed90acdccb05baaa1) (cherry picked from commit f9c8211fb0ad0dd362f471978a5e0abc5dfa71b4)
2021-05-27Enforce pid_file_path start at "/"Heiko Schlittermann (HS12-RIPE)
(cherry picked from commit 60f2a8e797d9ebaea1e3eac4ad28ff64e11bab40) (cherry picked from commit 6b3d553c733475a1033c8b7a241e6506d7ed73b1)
2021-05-27testsuite: tidy logs/4520 and confs/4520Heiko Schlittermann (HS12-RIPE)
This fixed 4520 failure en-passant, but I'm sure it's a timing issue here (the order of the mainlog output lines didn't exactly match the logs/4520) (cherry picked from commit 95306ca61531d9d79c5dac808a5a571158acd29c) (cherry picked from commit 0439d2e0566d64c84feaf1434e0e4a3fd8ce29b3)
2021-05-27tidyHeiko Schlittermann (HS12-RIPE)
(cherry picked from commit 7973b58af7db0fb8fddb54b366dcf43c7ce131ec) (cherry picked from commit b7e726f6ae4c6f19e7efc4e6b10ec35e5b01368c)
2021-05-25Use separate line in Received: header for timestampJeremy Harris
2021-05-18Docs: assorted fixesu34
Closes 2752 Closes 2753 Closes 2658 Closes 2659 Closes 2712 Closes 2720 Closes 2721 Closes 2722 Closes 2746 Closes 2748 Closes 2749
2021-05-18Docs: typoHeiko Schlittermann (HS12-RIPE)
2021-05-17Fix host_name_lookup (Close 2747)Heiko Schlittermann (HS12-RIPE)
Thanks to Nico R for providing a reproducing configuration. host_lookup = * message_size_limit = ${if def:sender_host_name {32M}{32M}} acl_smtp_connect = acl_smtp_connect acl_smtp_rcpt = acl_smtp_rcpt begin acl acl_smtp_connect: warn ratelimit = 256 / 1m / per_conn accept acl_smtp_rcpt: accept hosts = 127.0.0.* begin routers null: driver = accept transport = null begin transports null: driver = appendfile file = /dev/null Tested with swaks -f mailbox@example.org -t mailbox@example.org --pipe 'exim -bh 127.0.0.1 -C /opt/exim/etc/exim-bug.conf' The IP must have a PTR to "localhost." to reproduce it. (cherry picked from commit 20812729e3e47a193a21d326ecd036d67a8b2724)
2021-05-12Named Queues: fix immediate-delivery. Bug 2743Jeremy Harris
2021-05-11OpenBSD: remove redundant platform defineJeremy Harris
2021-05-11TLS DANE to multiple recipients w/ different DNSSec statusHeiko Schlittermann (HS12-RIPE)
2021-05-11Fix DANE + SNI handling (Bug 2265)Heiko Schlittermann (HS12-RIPE)
Broken in d8e99d6047e709b35eabb1395c2046100d1a1dda Thanks to JGH and Wolfgang Breyha for contributions. (cherry picked from commit e8ac8be0a3d56ba0a189fb970c339ac6e84769be)
2021-05-08DNS: Better handling of SOA when negative-caching lookupsJeremy Harris
2021-05-05wipJeremy Harris
2021-05-04Debug: output dmarc library versionJeremy Harris
2021-05-04Fix ${ipv6norm:}Jeremy Harris
2021-04-27Docs: typo. Closes 2713Heiko Schlittermann (HS12-RIPE)
2021-04-25tidyingJeremy Harris
2021-04-25Testsuite: tidyingJeremy Harris
2021-04-25Taint: enforce untainted ACL text lineJeremy Harris
2021-04-21Fix time usage on non-subtick-resolution platformsSimon Arlott