Discussion of security issues - ----------------------------- 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. The input to this function is supposed to be checked; the report said that an unchecked value could be passed via the command line (without specifying which command line option, annoyingly). I found one such case, which was a call do a dnsdb lookup for a PTR record, as part of testing expansions using -be. The first patch below fixes this - as it happens, this change had already been made to the current source. The report stated that Exim was running as "exim" when the problem occurred: with -be, Exim runs as the calling user. Therefore, either the report was wrong, or there is another case that I could not find. However, if there is another case, it will now be covered by the second patch below, which puts a test into the host_aton() function itself. (This should, of course, have been there all the time, as a bit of defensive programming, but hey, I'm only human. :-) 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. The remaining patches below fix this problem by adding a buffer length parameter to the problem function. I have tested that SPA authentication still works, but I don't have the tools to test that an attempt to exploit the overflow is now detected.
CAN-2005-0021 and CAN-2005-0022, this will be RHSA-2005:025
Not quite sure why this is in modified, as it appears there are issues getting the package built. Flipping back to assigned until we have packages built with the fix in them.
We have fixed packages built: 4.43-1.RHEL4.2
There was a problem with 4.43-1.RHEL4.2 -- the patch was present but not applied. This is fixed in exim-4.43-1.RHEL4.3
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-025.html