Discussion of security issues
1. The function host_aton() can overflow a buffer if it is presented
illegal IPv6 address that has more than 8 components. The input to
function is supposed to be checked; the report said that an
could be passed via the command line (without specifying which
option, annoyingly). I found one such case, which was a call do a dnsdb
lookup for a PTR record, as part of testing expansions using -be.
patch below fixes this - as it happens, this change had already
been made to
the current source.
The report stated that Exim was running as "exim" when the problem
with -be, Exim runs as the calling user. Therefore, either the
wrong, or there is another case that I could not find. However, if
another case, it will now be covered by the second patch below,
which puts a
test into the host_aton() function itself. (This should, of course,
been there all the time, as a bit of defensive programming, but
only human. :-)
2. The second report described a buffer overflow in the function
spa_base64_to_bits(), which is part of the code for SPA
code originated in the Samba project. The overflow can be exploited
you are using SPA authentication. The remaining patches below fix this
problem by adding a buffer length parameter to the problem
function. I have
tested that SPA authentication still works, but I don't have the
test that an attempt to exploit the overflow is now detected.
CAN-2005-0021 and CAN-2005-0022, this will be RHSA-2005:025
Not quite sure why this is in modified, as it appears there are issues getting
the package built. Flipping back to assigned until we have packages built with
the fix in them.
We have fixed packages built: 4.43-1.RHEL4.2
There was a problem with 4.43-1.RHEL4.2 -- the patch was present but not
applied. This is fixed in exim-4.43-1.RHEL4.3
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.