Bug 702474 (CVE-2011-1764)

Summary: CVE-2011-1764 exim: improper format string handling in DKIM signatures
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, dwmw2, jskarvad, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: exim 4.76 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-10 18:36:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 702475, 705448    
Bug Blocks:    

Description Vincent Danen 2011-05-05 18:40:26 UTC 
It was reported [1],[2] that Exim would improperly interpret '%' in a DKIM (DomainKeys Identified Mail) signature, which would get logged to the paniclog.  It is possible that using '%n' in the DKIM signature could be used to verwrite stack data, which could cause Exim to crash.

DKIM support has been in Exim since version 4.70.

A fix has been pushed upstream [3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624670
[2] http://bugs.exim.org/show_bug.cgi?id=1106
[3] http://git.exim.org/exim.git/commitdiff/337e3505b0e6cd4309db6bf6062b33fa56e06cf8


Statement:

Not vulnerable. This issue did not affect the versions of exim as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for DKIM.
Comment 1 Vincent Danen 2011-05-05 18:41:13 UTC 
Created exim tracking bugs for this issue

Affects: fedora-all [bug 702475]
Comment 2 Josh Bressers 2011-05-05 18:49:35 UTC 
A workaround is to add "control = dkim_disable_verify" to an ACL to prevent processing DKIM signatures.
Comment 3 Vincent Danen 2011-05-17 17:54:24 UTC 
Created exim tracking bugs for this issue

Affects: epel-6 [bug 705448]
Comment 4 Vincent Danen 2012-08-10 18:23:54 UTC 
According to:

http://wiki.exim.org/EximSecurity

This was resolved in upstream 4.76.  Current supported versions of Fedora provide 4.76, however EPEL6 still provides 4.72 and is still vulnerable.
Comment 5 Vincent Danen 2012-08-10 18:36:33 UTC 
It seems that EPEL6 did fix this, but incorrectly noted the wrong CVE:

exim-4.72-0003-CVE-2011-1407.patch is from the git commit above, so it actually fixes CVE-2011-1764 and _not_ CVE-2011-1407 as the patch name and changelog implied.