Bug 2127633

Summary:

exim-greylist 4.96 "tainted search query is not properly quoted"

Product:

[Fedora] Fedora

Reporter:

Russell Odom <russ+bugzilla-redhat>

Component:

exim

Assignee:

Jaroslav Škarvada <jskarvad>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

high

Docs Contact:

Priority:

unspecified

Version:

CC:

bennie.joubert, dwmw2, jskarvad, mharri

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

exim-4.96-2.el8 exim-4.96-2.el7 exim-4.96-2.el9 exim-4.96-3.fc35 exim-4.96-3.fc36 exim-4.96-5.fc37

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2022-10-11 10:28:47 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Patch for exim-greylist.conf.inc to add quote_sqlite	none

Description Russell Odom 2022-09-17 16:19:29 UTC

Created attachment 1912549 [details]
Patch for exim-greylist.conf.inc to add quote_sqlite

Description of problem:
In the upgrade of exim from 4.94 to 4.96, there is tainting of some additional variables. With the greylisting in the exim-greylist package, one of the INSERTs into the sqlite DB for greylisting tries to use a tainted value, generating a log entry in panic.log and a (permanent) rejection of the message.

Version-Release number of selected component (if applicable):
exim-greylist-4.96-2.fc35.x86_64


How reproducible:
Every time.

Steps to Reproduce:
1. Remote MTA attempts to deliver a message which triggers greylisting, according to whatever rules are configured in exim.conf

Actual results:
panic.log gets an entry like this:
2022-09-16 12:10:50 1oZ9FB-001PZ9-1c tainted search query is not properly quoted (ACL warn, /etc/exim/exim-greylist.conf.inc 116): INSERT INTO greylist VALUES ( 'bacSoGDjdDg7zSzZ1eYy', '1663325650', '2001:1243:567::1', 'example.com' );

Message is rejected.

Expected results:
Message is greylisted (and, if retried later, succeeds).

Additional info:
The attached patch seems to fix it.

Comment 1 Marcel Härri 2022-09-20 20:16:55 UTC

https://src.fedoraproject.org/rpms/exim/pull-request/14

Comment 2 Fedora Update System 2022-10-03 17:01:32 UTC

FEDORA-2022-50a71ba78c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-50a71ba78c

Comment 3 Fedora Update System 2022-10-03 17:02:00 UTC

FEDORA-2022-40ee7d9a64 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-40ee7d9a64

Comment 4 Fedora Update System 2022-10-03 17:02:38 UTC

FEDORA-2022-4f295d8374 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4f295d8374

Comment 5 Fedora Update System 2022-10-03 17:03:18 UTC

FEDORA-EPEL-2022-fa3d472c04 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-fa3d472c04

Comment 6 Fedora Update System 2022-10-03 17:03:58 UTC

FEDORA-EPEL-2022-0d7031d4ae has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-0d7031d4ae

Comment 7 Fedora Update System 2022-10-03 17:04:32 UTC

FEDORA-EPEL-2022-2ea6df27c0 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ea6df27c0

Comment 8 Fedora Update System 2022-10-04 00:27:57 UTC

FEDORA-EPEL-2022-0d7031d4ae has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-0d7031d4ae

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-10-04 00:33:35 UTC

FEDORA-EPEL-2022-2ea6df27c0 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ea6df27c0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-10-04 01:23:12 UTC

FEDORA-2022-50a71ba78c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-50a71ba78c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-50a71ba78c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-10-04 01:45:08 UTC

FEDORA-2022-40ee7d9a64 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-40ee7d9a64`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-40ee7d9a64

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2022-10-04 02:01:52 UTC

FEDORA-2022-4f295d8374 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-4f295d8374`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-4f295d8374

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2022-10-04 02:25:51 UTC

FEDORA-EPEL-2022-fa3d472c04 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-fa3d472c04

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2022-10-11 10:28:47 UTC

FEDORA-EPEL-2022-0d7031d4ae has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Fedora Update System 2022-10-11 10:33:16 UTC

FEDORA-EPEL-2022-2ea6df27c0 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Fedora Update System 2022-10-11 10:53:35 UTC

FEDORA-EPEL-2022-fa3d472c04 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Fedora Update System 2022-10-11 11:13:03 UTC

FEDORA-2022-4f295d8374 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 18 Fedora Update System 2022-10-11 11:32:50 UTC

FEDORA-2022-40ee7d9a64 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 19 Fedora Update System 2022-11-10 22:30:23 UTC

FEDORA-2022-90e08c08e6 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.