Debian Bug report logs - #289046
Vulnerable to CAN-2005-0021

version graph

Package: exim; Maintainer for exim is (unknown);

Reported by: Klaus Ethgen <Klaus@Ethgen.de>

Date: Thu, 6 Jan 2005 11:03:06 UTC

Severity: critical

Tags: patch, sarge, security, sid, woody

Fixed in versions exim/3.36-12, exim/3.36-13

Done: Mark Baker <mark@mnb.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#288918; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Klaus Ethgen <Klaus@Ethgen.de>:
New Bug report received and forwarded. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Klaus Ethgen <Klaus@Ethgen.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Security patch
Date: Thu, 6 Jan 2005 11:54:40 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: exim4
Version: 4.34-9
Severity: critical

Two security holes are reported and should be fixed:
http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

- -- Package-specific info:
Exim version 4.34 #1 built 07-Dec-2004 13:59:38
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 3.2.9: (May 26, 2004)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated

- -- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (800, 'unstable'), (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)

Versions of packages exim4 depends on:
ii  exim4-base                    4.34-9     EXperimental Internal Mailer -- a 
ii  exim4-daemon-light            4.34-9     Lightweight version of the Exim (v

- -- no debconf information
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iQEVAwUBQd0Y8J+OKpjRpO3lAQLQSwf7B/4Cr1sOXIU7pDC3whhfPbIjlJXwZ0nZ
OsIwtGYkRKedVg0zNK9BZ5NJrAj7etctcQ+9jlPdxQLrM2vBkaOe4L6xgc0YBOyn
/Cp/AiVtM4oiiMNqpEAQRpBwWY74r7JhE4CJlimnAJPTKzXMc0HTuy1yQgT70zIV
ScFXEDrLP2xYCmvBua8DT1ipSLdC8LPLkhquV9+imi2Vf8BfkZeSw33Qf1q80dBB
lkl/ggUjx2zHBgWSNYO3oFVFcaA8MR+3ud1PLVyAlot2laKMDfYNDfOH+eKPTcS+
NHO5v3IdJnodz7HFDwhQ9l+ARm+021+9cEVS6e7YHov/S0RtE6k0rg==
=gn+Z
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#288918; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 288918@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Klaus Ethgen <Klaus@Ethgen.de>, 288918@bugs.debian.org
Subject: Re: Bug#288918: Security patch
Date: Thu, 6 Jan 2005 12:14:12 +0100
tags #288918 sarge confirmed experimental security upstream
thanks

On Thu, Jan 06, 2005 at 11:54:40AM +0100, Klaus Ethgen wrote:
> Two security holes are reported and should be fixed:
> http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

This is already fixed in unstable, with the package waiting for
inclusion into sarge.

Fix for the experimental 4.43 packages is pending.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Tags added: sarge, confirmed, experimental, security, upstream Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags set to: confirmed, sarge, security, upstream Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#288918; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #19 received at 288918@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 288918@bugs.debian.org
Subject: do these holes affect exim 3?
Date: Thu, 6 Jan 2005 15:49:37 -0500
[Message part 1 (text/plain, inline)]
Re these two security holes, which have just been assigned CVE ids
CAN-2005-0022 and CAN-2005-0021, does anyone know if the security holes
also affect exim version 3?

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#288918; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #24 received at 288918@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Joey Hess <joeyh@debian.org>, 288918@bugs.debian.org
Subject: Re: Bug#288918: do these holes affect exim 3?
Date: Thu, 6 Jan 2005 22:56:49 +0100
On Thu, Jan 06, 2005 at 03:49:37PM -0500, Joey Hess wrote:
> Re these two security holes, which have just been assigned CVE ids
> CAN-2005-0022 and CAN-2005-0021, does anyone know if the security holes
> also affect exim version 3?

You might ask that question to the maintainer of the exim 3 packages.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#288918; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #29 received at 288918@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: Joey Hess <joeyh@debian.org>, 288918@bugs.debian.org
Cc: exim@packages.debian.org
Subject: Re: Bug#288918: do these holes affect exim 3?
Date: Thu, 6 Jan 2005 23:13:27 +0100
clone 288918 -1
reassign -1 exim
retitle -1 Vulnerable to CAN-2005-0021
tags -1 = woody sarge sid security patch
thanks
On 2005-01-06 Joey Hess <joeyh@debian.org> wrote:
> Re these two security holes, which have just been assigned CVE ids
> CAN-2005-0022 and CAN-2005-0021, does anyone know if the security holes
> also affect exim version 3?

Hello,
The second issue concerns SPA authentication which exim v3 does not
support.

The other issue
| The function host_aton() can overflow a buffer if it is presented
| with an illegal IPv6 address that has more than 8 components.
| The input to this function is supposed to be checked; the report
| said that an unchecked value could be passed via the command line
| (without specifying which command line option, annoyingly). I found
| one such case, which was a call do a dnsdb lookup for a PTR record,
| as part of testing expansions using -be.

applies afaict, both parts of the respective code (dnsdb and
host_aton() are identical.

-------
--- exim-3.36/src/host.c	2002-04-04 14:56:18.000000000 +0200
+++ exim-3.36/src/host.c	2005-01-06 22:50:30.000000000 +0100
@@ -620,12 +620,18 @@
 
   if (*p == ':') p++;
 
-  /* Split the address into components separated by colons. */
+  /* Split the address into components separated by colons. The input address
+  is supposed to be checked for syntax. There was a case where this was
+  overlooked; to guard against that happening again, check here and crash if
+  there is a violation. */
 
   while (*p != 0)
     {
     int len = strcspn(p, ":");
     if (len == 0) nulloffset = ci;
+    if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+      address);
     component[ci++] = p;
     p += len;
     if (*p == ':') p++;
--- exim-3.36/src/lookups/dnsdb.c	2002-04-04 14:56:18.000000000 +0200
+++ exim-3.36/src/lookups/dnsdb.c	2005-01-06 23:10:53.000000000 +0100
@@ -116,7 +116,7 @@
 /* If the type is PTR, we have to construct the relevant magic lookup
 key. */
 
-if (type == T_PTR)
+if (type == T_PTR && string_is_ip_address(keystring, NULL))
   {
   char *p = keystring + (int)strlen(keystring);
   char *pp = buffer;
-------
               cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
                                           http://downhill.aus.cc/



Bug 288918 cloned as bug 289046. Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `exim4' to `exim'. Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags set to: woody, sarge, sid, security, patch Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Mark Baker <mark@mnb.org.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Klaus Ethgen <Klaus@Ethgen.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 289046-close@bugs.debian.org (full text, mbox):

From: Mark Baker <mark@mnb.org.uk>
To: 289046-close@bugs.debian.org
Subject: Bug#289046: fixed in exim 3.36-12
Date: Thu, 06 Jan 2005 18:32:03 -0500
Source: exim
Source-Version: 3.36-12

We believe that the bug you reported is fixed in the latest version of
exim, which is due to be installed in the Debian FTP archive:

exim_3.36-12.diff.gz
  to pool/main/e/exim/exim_3.36-12.diff.gz
exim_3.36-12.dsc
  to pool/main/e/exim/exim_3.36-12.dsc
exim_3.36-12_i386.deb
  to pool/main/e/exim/exim_3.36-12_i386.deb
eximon_3.36-12_i386.deb
  to pool/main/e/exim/eximon_3.36-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289046@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Baker <mark@mnb.org.uk> (supplier of updated exim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  6 Jan 2005 23:12:57 +0000
Source: exim
Binary: exim eximon
Architecture: source i386
Version: 3.36-12
Distribution: unstable
Urgency: high
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Mark Baker <mark@mnb.org.uk>
Description: 
 exim       - An MTA (Mail Transport Agent)
 eximon     - X monitor for the exim mail transport agent.
Closes: 231099 288760 289046
Changes: 
 exim (3.36-12) unstable; urgency=high
 .
   * src/host.c, stc/lookups/dnsdb.c: Applied upstream patch to  avoid
     potential buffer overflow vulnerability in host_aton() [CAN-2005-0021]
     (Closes: #289046)
   * debian/mail: removed reference to Nigel Methringham's system filter
     (Closes: #231099)
   * debian/rules: use -isp options to dpkg-gencontrol (Closes: #288760)
Files: 
 c2bf20a3101934fe940a4bad785680f8 680 mail extra exim_3.36-12.dsc
 9fc592aa37496b17d04a2d9d6d4185b2 77145 mail extra exim_3.36-12.diff.gz
 bd1fe550dca6872429e696f4fd4b9660 757436 mail extra exim_3.36-12_i386.deb
 8157b6a9693dd12c26fd877a95a5578f 39562 mail extra eximon_3.36-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFB3cZ5Lk+GuosNQvkRAuXPAKCMS+e7RooXj4Gm6Gj5teKItb8QEACglleK
giX+PLhkz8c0BtjJb4YITic=
=wmTl
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Baker <mark@mnb.org.uk>:
Bug#289046; Package exim. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-bugs@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Mark Baker <mark@mnb.org.uk>. Full text and rfc822 format available.

Message #47 received at 289046@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-bugs@zugschlus.de>
To: Mark Baker <mark@mnb.org.uk>
Cc: 289046@bugs.debian.org
Subject: Re: Bug#289046: fixed in exim 3.36-12
Date: Sun, 9 Jan 2005 11:12:33 +0100
reopen 289046
thanks

On Thu, Jan 06, 2005 at 06:32:03PM -0500, Mark Baker wrote:
> We believe that the bug you reported is fixed in the latest version of
> exim
>  exim (3.36-12) unstable; urgency=high
>  .
>    * src/host.c, stc/lookups/dnsdb.c: Applied upstream patch to  avoid
>      potential buffer overflow vulnerability in host_aton() [CAN-2005-0021]
>      (Closes: #289046)

I have to disagree with that. The 3.36-12.diff.gz does not contain any
changes to src/host.c or stc/lookups/dnsdb.c. Thus, I have to assume
that the bug is still valid for the exim version in unstable,
therefore I am reopening the bug.

[6/81]mh@lefler[chroot woody]:~/exim$ < exim_3.36-12.diff.gz gunzip | lsdiff | grep '\(host\.c\|dnsdb\.c\)'
[7/82]mh@lefler[chroot woody]:~/exim$

Greetings
Marc



Bug reopened, originator not changed. Request was from Marc Haber <mh+debian-bugs@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Mark Baker <mark@mnb.org.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Klaus Ethgen <Klaus@Ethgen.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #54 received at 289046-close@bugs.debian.org (full text, mbox):

From: Mark Baker <mark@mnb.org.uk>
To: 289046-close@bugs.debian.org
Subject: Bug#289046: fixed in exim 3.36-13
Date: Sun, 09 Jan 2005 07:32:03 -0500
Source: exim
Source-Version: 3.36-13

We believe that the bug you reported is fixed in the latest version of
exim, which is due to be installed in the Debian FTP archive:

exim_3.36-13.diff.gz
  to pool/main/e/exim/exim_3.36-13.diff.gz
exim_3.36-13.dsc
  to pool/main/e/exim/exim_3.36-13.dsc
exim_3.36-13_i386.deb
  to pool/main/e/exim/exim_3.36-13_i386.deb
eximon_3.36-13_i386.deb
  to pool/main/e/exim/eximon_3.36-13_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289046@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Baker <mark@mnb.org.uk> (supplier of updated exim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  9 Jan 2005 12:08:50 +0000
Source: exim
Binary: exim eximon
Architecture: source i386
Version: 3.36-13
Distribution: unstable
Urgency: high
Maintainer: Mark Baker <mark@mnb.org.uk>
Changed-By: Mark Baker <mark@mnb.org.uk>
Description: 
 exim       - An MTA (Mail Transport Agent)
 eximon     - X monitor for the exim mail transport agent.
Closes: 289046
Changes: 
 exim (3.36-13) unstable; urgency=high
 .
   * src/host.c, stc/lookups/dnsdb.c: Applied upstream patch to  avoid
     potential buffer overflow vulnerability in host_aton() [CAN-2005-0021]
     (Closes: #289046)
Files: 
 7de2887a36c0ff79bc48f9bcf4abe2fb 680 mail extra exim_3.36-13.dsc
 95545b2aaef1398d2f8e456b6051e5bf 77599 mail extra exim_3.36-13.diff.gz
 59e2f5dcbdfd1e66bc7431e5b7e22142 757532 mail extra exim_3.36-13_i386.deb
 90df64f7e640ddde29752254ad593283 39558 mail extra eximon_3.36-13_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFB4R82Lk+GuosNQvkRAqfoAKCV+cDuRgrXINTH8eqAfSESw3sZcQCffReK
l5HPGXQomKz7fA1Ae3ScH7E=
=lGDk
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:10:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.