Bug 144242 - CAN-2005-0021 exim security issues (CAN-2005-0022)
Summary: CAN-2005-0021 exim security issues (CAN-2005-0022)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: exim
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
URL: http://www.exim.org/mail-archives/exi...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-05 08:58 UTC by Mark J. Cox
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-03-18 09:39:06 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mark J. Cox 2005-01-05 08:58:48 UTC
*** This bug has been split off bug 144099 ***

------- Original comment by David Woodhouse on 2005.01.04 10:45 -------

Discussion of security issues
- -----------------------------

1. The function host_aton() can overflow a buffer if it is presented
with an 
   illegal IPv6 address that has more than 8 components. The input to
this 
   function is supposed to be checked; the report said that an
unchecked value 
   could be passed via the command line (without specifying which
command line 
   option, annoyingly). I found one such case, which was a call do a dnsdb
   lookup for a PTR record, as part of testing expansions using -be.
The first
   patch below fixes this - as it happens, this change had already
been made to
   the current source. 
   
   The report stated that Exim was running as "exim" when the problem
occurred:
   with -be, Exim runs as the calling user. Therefore, either the
report was
   wrong, or there is another case that I could not find. However, if
there is
   another case, it will now be covered by the second patch below,
which puts a
   test into the host_aton() function itself. (This should, of course,
have
   been there all the time, as a bit of defensive programming, but
hey, I'm
   only human. :-)

2. The second report described a buffer overflow in the function 
   spa_base64_to_bits(), which is part of the code for SPA
authentication. This 
   code originated in the Samba project. The overflow can be exploited
only if 
   you are using SPA authentication. The remaining patches below fix this 
   problem by adding a buffer length parameter to the problem
function. I have 
   tested that SPA authentication still works, but I don't have the
tools to 
   test that an attempt to exploit the overflow is now detected.


        CAN-2005-0021/22 Affects: FC2
        CAN-2005-0021/22 Affects: FC3

Comment 2 Mark J. Cox 2005-03-18 09:39:06 UTC
FEDORA-2005-001 20050106
FEDORA-2005-002 20050106


Note You need to log in before you can comment on or make changes to this bug.