| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
Recent versions of GnuTLS by default disallow use of some methods now regarded as
weak. This probably mean sha1, which is deprecated per DKIM standards.
|
|
|
|
|
|
It results in rearranged logging output, causing testsuite case failures
The downside is that we lose debug visbility of the extra process startup
Broken-by: b6c1434e47
|
|
Broken-by: b6c1434e47
|
|
(cherry picked from commit 919111edac911ba9c15422eafd7c5bf14d416d26)
|
|
Now it breaks 471, and overlong addresses won't make it into the rewrite
process, as they are handled as empty.
(cherry picked from commit 506286c62b8786a926dafb5bb05d3103492b86bc)
|
|
(cherry picked from commit 39d83bf19fc0c4364e0a665360b14194c62e4ab4)
|
|
(cherry picked from commit bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb)
(cherry picked from commit fee1a06ec05e58e0cda8cf04f28240688736f945)
|
|
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."
(cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd)
(cherry picked from commit 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)
|
|
Based on Phil Pennock's commit 76a1ce77.
Modified by Qualys.
(cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b)
(cherry picked from commit 8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46)
|
|
Based on Heiko Schlittermann's commits f880c7f3 and c118c7f4. This
fixes:
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
(cherry picked from commit 92359a62a0e31734ad8069c66f64b37f9eaaccbe)
(cherry picked from commit c5f2f5cf2a6b45ae7ba0ed15e04fbe014727b210)
|
|
Based on Heiko Schlittermann's commit 54895bc3. This fixes:
7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
(cherry picked from commit 30f5d98786fb4e6ccfdd112fe65c153f0ee34c5f)
(cherry picked from commit d600f6c4d0c5d33e3988dfbfee248ff6a1536673)
|
|
(cherry picked from commit e20aa895b37f449d5c81c3e7b102fc534b5d23ba)
(cherry picked from commit 3b8c0ceb7339329188e19efb907da950dbe691d1)
|
|
(cherry picked from commit 72dad1e64bb3d1ff387938f59678098cab1f60a3)
(cherry picked from commit 645a31d16195bb6b73f0a0d0c04b2251e5b28421)
|
|
(cherry picked from commit 998e5a9db121c3eff15cac16859bdffd7adcbe57)
(cherry picked from commit 638f7ca75694bcbb70cfbe7db2ef52af4aca5c83)
|
|
(cherry picked from commit bbf1bb10bee5a1d7cbcc97f178b348189219eb7d)
(cherry picked from commit 1241deaefb71c40436320af7d0bd04c7c9e54241)
|
|
(cherry picked from commit 31b1a42d0bd29cb05f85e56d3343b13bef20a2bd)
(cherry picked from commit fcddccd650178ceeec3655c6c40f420164a8706e)
|
|
This also fixes:
2/ In src/spool_in.c:
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).
Based on a patch done by Qualys.
(cherry picked from commit f0c307458e1ee81abbe7ed2d4a8d16b5cbd8a799)
(cherry picked from commit 4daba4bec729a57fb0863af786a1395e70794c76)
|
|
Based on Phil Pennock's commit c5017adf.
(cherry picked from commit 9e941e1807b624b255c9ec0f41a0b3a89e144de3)
(cherry picked from commit 33d4c87653ddbbea9fd8cb8eb2ff78c149850006)
|
|
Based on Phil Pennock's commit e3b441f7.
(cherry picked from commit 18a19e18242edc5ab2082fa9c41cd6210d1b6087)
(cherry picked from commit 605716b999a4ca6c7d5777ab7463058e9b055dc2)
|
|
Based on Phil Pennock's commits b34d3046 and e6c1606a. Done by Qualys.
(cherry picked from commit 09d36bd64fc5bf71d8882af35c41ac4e8599acc1)
(cherry picked from commit f9c58fb385343b8e3fa13988efcbd30ae3285ea7)
|
|
Based on Phil Pennock's 8a50c88a, done by Qualys
(cherry picked from commit 8161c16ec7320ac6164954bade23179a0ed095eb)
(cherry picked from commit 71585e8fcb8704a9f431f5a8d019280cccaad069)
|
|
(cherry picked from commit 6e1fb878e95f8e6f838ffde5258c7a969c981865)
(cherry picked from commit 08102cbe8102f99b31655aa0e926c45b427efe6d)
|
|
Based on Phil Pennock's 0f57feb4. Done by Qualys, modified by me.
(cherry picked from commit b0982c2776048948ebae48574b70fa487684cb8c)
(cherry picked from commit dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7)
|
|
(cherry picked from commit 6290686dd59d8158d100c67e8f96df27158a6fc5)
(cherry picked from commit a53a7fcfb8216764e4420d8d263356b4ed7d5cef)
|
|
(cherry picked from commit cad30cd3fb96196e908e0d66b1b45fdf377c850c)
(cherry picked from commit 1c261b90f627f0489f7dfcf1e66b46cce67f477d)
|
|
Arbitrary PID file creation, clobbering, and deletion.
Patch provided by Qualys.
(cherry picked from commit 974f32939a922512b27d9f0a8a1cb5dec60e7d37)
(cherry picked from commit 43c6f0b83200b7082353c50187ef75de3704580a)
|
|
(cherry picked from commit 82b545236e6dc82b7af34528c532811bfc74ea19)
(cherry picked from commit be31ef213f118abe5fc68732f5492b6b16d28b87)
|
|
We patch dbfn_open() by introducing two functions priv_drop_temp() and
priv_restore() (inspired by OpenSSH's functions temporarily_use_uid()
and restore_uid()), which temporarily drop and restore root privileges
thanks to seteuid(). This goes against Exim's developers' wishes ("Exim
(the project) doesn't trust seteuid to work reliably") but, to the best
of our knowledge, seteuid() works everywhere and is the only way to
securely fix dbfn_open().
(cherry picked from commit 18da59151dbafa89be61c63580bdb295db36e374)
(cherry picked from commit b05dc3573f4cd476482374b0ac0393153d344338)
|
|
Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy
Harris's commits aa171254 and 9aceb5c2.
(cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f)
(cherry picked from commit 99d057fad97a2def9f000ebccda83e4008112819)
|
|
Credits: Qualys
7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
(cherry picked from commit f7ac5a7d1e817bf60f161e7a1d40b65d66da607f)
(cherry picked from commit 13f9998ebb937970d1d9d18f205a6e03e14105b4)
|
|
Credits: Qualys
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
(cherry picked from commit 9fce76f56459dde7489eb21ce1ff822e04e10f43)
(cherry picked from commit 667fb25b8f0dc3fbac57bce4051e345555fa776a)
|
|
Credits: Qualys
6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:
773 canon_data->len = b->bodylength - b->signed_body_bytes;
For example, the following proof of concept sets lineending.len to 0
(this should not be possible):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948
Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}
(cherry picked from commit ea850e27714ccda2090d781ebe89b410bc38c2c6)
(cherry picked from commit 4e784efa28b25683c81a857b464777df593cabee)
|
|
Credits: Qualys
5/ receive_msg() calls dkim_exim_verify_finish(), which sets
dkim_collect_input to 0 and calls pdkim_feed_finish(), which calls
pdkim_header_complete(), which decreases dkim_collect_input to UINT_MAX,
which reactivates the DKIM code.
As a result, pdkim_feed() is called again (through receive_getc at the
end of receive_msg()), but functions like pdkim_finish_bodyhash() and
exim_sha_finish() have already been called (in pdkim_feed_finish()).
This suggests a use-after-free.
But it seems that a use-after-free would happen only with
EVP_DigestFinal() (in exim_sha_finish()), which does not seem to be
reachable via DKIM (no SHA3). But we checked OpenSSL only, not GnuTLS.
Here is a proof of concept that triggers the bug (which came very close
to a security vulnerability):
(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'BDAT 42 LAST'; date >&2; sleep 30; printf 'not a valid header line\r\nDKIM-Signature:\r\nXXX'; sleep 30) | nc -n -v 192.168.56.102 25
(gdb) print &dkim_collect_input
$2 = (unsigned int *) 0x55e180386d90 <dkim_collect_input>
(gdb) watch *(unsigned int *) 0x55e180386d90
Hardware watchpoint 1: *(unsigned int *) 0x55e180386d90
Old value = 0
New value = 4294967295
#0 0x000055e18031f805 in pdkim_header_complete (ctx=ctx@entry=0x55e181b9e8e0) at pdkim.c:1006
#1 0x000055e18032106c in pdkim_feed_finish (ctx=0x55e181b9e8e0, return_signatures=0x55e180386d78 <dkim_signatures>, err=err@entry=0x7ffe443e1d00) at pdkim.c:1490
#2 0x000055e1802a3280 in dkim_exim_verify_finish () at dkim.c:328
#3 0x000055e1802c9d1d in receive_msg (extract_recip=extract_recip@entry=0) at receive.c:3409
(cherry picked from commit e3674091056ac05eb7ef1c504accce790c434bd7)
(cherry picked from commit 8b39dd074e3ec70cbda70a52cef5b71ecbf69499)
|
|
Credits: Qualys
4/ In src/smtp_in.c:
4966 case RCPT_CMD:
4967 HAD(SCH_RCPT);
4968 rcpt_count++;
....
5123 if (rcpt_count > recipients_max && recipients_max > 0)
In theory this recipients_max check can be bypassed, because the int
rcpt_count can overflow (become negative). In practice this would either
consume too much memory or generate too much network traffic, but maybe
it should be fixed anyway.
(cherry picked from commit 04139ca809fbe56d8fe9c55a77640ea9fa93b8f1)
(cherry picked from commit db96ca55137d7684a9afdf9d118feed9116906b7)
|
|
Credits: Qualys
3/ In src/deliver.c:
333 static int
334 open_msglog_file(uschar *filename, int mode, uschar **error)
335 {
336 if (Ustrstr(filename, US"/../"))
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
the /../ attempt but will open the file anyway.
(cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)
(cherry picked from commit 1e9a340c05d7233969637095a8a6378b14de2976)
|
|
Credits: Qualys
2/ In src/spool_in.c:
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).
(cherry picked from commit 58454ea01c2e817481770954edf09ad82f3cd417)
(cherry picked from commit 2d9f1837bdd6c5946cb9cd997544eefc8cc14fc4)
|
|
Credits: Qualys
1/ In src/transports/smtp.c:
2281 int n = sizeof(sx->buffer);
2282 uschar * rsp = sx->buffer;
2283
2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
This should probably be either:
rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
or:
rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
(not sure which) to avoid an off-by-one.
(cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)
(cherry picked from commit 4045cb01a590ec480f45f80967cd9c59fe23a5d0)
|
|
(cherry picked from commit 8dad4da53bad2ed3b29fa6a3b9ef59bfec73dc0e)
(cherry picked from commit 125f0d4afbc858cf514c29326a3016c2d9d7bdc1)
|
|
The BDAT state switchers should happen so often during SMTP reception that a
compiler hint to inline seems wise.
The length filter checks happen on every start-up, which for Exim is often
enough that I think an inline these is warranted too.
(cherry picked from commit 6e3d0e3f1c8228ef19a3d1ba61f131cef3172ceb)
(cherry picked from commit 6ca5fcba34070f4495a0188f16eb2e4d78f3430a)
|
|
(cherry picked from commit 85a90771a373aaaced64b92d7176a8a310490b9e)
(cherry picked from commit da683a61556bbbebdffcbebf2668da58da59f898)
|
|
(cherry picked from commit dd1b9b753bb7c42df2b8f48d726b82928b67940b)
(cherry picked from commit 96fb195ebc2eb6790e6ad6dde46d478aee62198d)
|
|
A boundary case in looking for an opening quote before the closing quote could
walk off the front of the buffer.
(cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8)
(cherry picked from commit 467948de0c407bd2bbc2e84abbbf09f35b035538)
|
|
(cherry picked from commit 323ff55e67b44e95f9d3cfaba155e385aa33c4bd)
(cherry picked from commit 3a54fcd1e303bf1cc49beca7ceac35d7448860a9)
|
|
A default of "unlimited" can have unfortunate consequences when people start
putting many millions of recipients on a message.
(cherry picked from commit 1d7780722a66cea8da5fa4ae0775e85d185fbf7e)
(cherry picked from commit a6e1f69d82adcfd3caab8f228d96750dfddc8f07)
|
|
(cherry picked from commit 706864e934c70941ce7a327f97b7649a1e5f5556)
(cherry picked from commit 9f06dcd6848052f2524658bf871c60a8d48c7dbe)
|
