Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 144099

Summary: CAN-2005-0021 exim security issues (CAN-2005-0022)
Product: Red Hat Enterprise Linux 4 Reporter: David Woodhouse <dwmw2>
Component: eximAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jturner, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.html
Whiteboard: impact=moderate,public=20050104
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-15 08:27:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 142822    

Description David Woodhouse 2005-01-04 15:45:03 UTC 
Discussion of security issues
- -----------------------------

1. The function host_aton() can overflow a buffer if it is presented
with an 
   illegal IPv6 address that has more than 8 components. The input to
this 
   function is supposed to be checked; the report said that an
unchecked value 
   could be passed via the command line (without specifying which
command line 
   option, annoyingly). I found one such case, which was a call do a dnsdb
   lookup for a PTR record, as part of testing expansions using -be.
The first
   patch below fixes this - as it happens, this change had already
been made to
   the current source. 
   
   The report stated that Exim was running as "exim" when the problem
occurred:
   with -be, Exim runs as the calling user. Therefore, either the
report was
   wrong, or there is another case that I could not find. However, if
there is
   another case, it will now be covered by the second patch below,
which puts a
   test into the host_aton() function itself. (This should, of course,
have
   been there all the time, as a bit of defensive programming, but
hey, I'm
   only human. :-)

2. The second report described a buffer overflow in the function 
   spa_base64_to_bits(), which is part of the code for SPA
authentication. This 
   code originated in the Samba project. The overflow can be exploited
only if 
   you are using SPA authentication. The remaining patches below fix this 
   problem by adding a buffer length parameter to the problem
function. I have 
   tested that SPA authentication still works, but I don't have the
tools to 
   test that an attempt to exploit the overflow is now detected.
Comment 4 Mark J. Cox 2005-01-05 08:56:01 UTC 
CAN-2005-0021 and CAN-2005-0022, this will be RHSA-2005:025
Comment 5 Jay Turner 2005-01-14 12:44:21 UTC 
Not quite sure why this is in modified, as it appears there are issues getting
the package built.  Flipping back to assigned until we have packages built with
the fix in them.
Comment 7 David Woodhouse 2005-01-14 14:32:53 UTC 
We have fixed packages built: 4.43-1.RHEL4.2
Comment 8 David Woodhouse 2005-01-17 10:31:03 UTC 
There was a problem with 4.43-1.RHEL4.2 -- the patch was present but not
applied. This is fixed in exim-4.43-1.RHEL4.3
Comment 9 Mark J. Cox 2005-02-15 08:27:24 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-025.html