Bug 870356

Summary: Exim 4.70 - 4.80 : Remote Execution Exploit in DKIM module.
Product: [Fedora] Fedora Reporter: customercare
Component: eximAssignee: David Woodhouse <dwmw2>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 16CC: dwmw2, jskarvad
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-26 15:01:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description customercare 2012-10-26 08:48:52 UTC
Posted by pdp on 10:35 today ( 13 minutes ago )

Folks,

During internal code review on Wednesday, I uncovered a remote code
execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
handling.  This can be triggered by anyone who can send you email from a
domain for which they control the DNS, and gets them the Exim run-time
user.

Thanks to a certain Wired article, I decided this area of the codebase
(of many MTAs) would be likely to be reviewed by more than just me, so
it would be sheer hubris to hope that this remained undiscovered by
blackhats.

So Exim 4.80.1 has been cut, which has no new features, none of the
other changes, and is "4.80 plus security fix"; the patch and
notification were available to vendors from late Wednesday, and I sucked
it up and accepted that I would be deeply unpopular with a Friday
release, after the vendors had Thursday to prep.

At 8am UTC, I released Exim 4.80.1.  The patch should apply cleanly to
any affected version of Exim, so your vendor should have a clean patch
for you.

For those who build/maintain their own Exim releases, but have not kept
up-to-date on Exim and are not ready to move to 4.80/4.80.1, you will
wish to study:

  http://git.exim.org/exim.git/commit/4263f395efd136dece52d765dfcff3c96f17506e

Regards,
-Phil

Comment 1 customercare 2012-10-26 09:16:51 UTC
would be nice if you release the patched package today.

Comment 2 Vincent Danen 2012-10-26 15:01:55 UTC

*** This bug has been marked as a duplicate of bug 869953 ***

Comment 3 Tomas Hoger 2012-10-26 15:23:03 UTC
Updated packages are already built and submitted as updates:

https://admin.fedoraproject.org/updates/exim

*** This bug has been marked as a duplicate of bug 870347 ***