2127633 – exim-greylist 4.96 "tainted search query is not properly quoted"

Bug 2127633 - exim-greylist 4.96 "tainted search query is not properly quoted"

Summary: exim-greylist 4.96 "tainted search query is not properly quoted"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	exim
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Jaroslav Škarvada
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-17 16:19 UTC by Russell Odom
Modified:	2022-11-10 22:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:	exim-4.96-2.el8 exim-4.96-2.el7 exim-4.96-2.el9 exim-4.96-3.fc35 exim-4.96-3.fc36 exim-4.96-5.fc37
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-10-11 10:28:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Patch for exim-greylist.conf.inc to add quote_sqlite (654 bytes, patch) 2022-09-17 16:19 UTC, Russell Odom	no flags	Details \| Diff
View All

Description Russell Odom 2022-09-17 16:19:29 UTC

Created attachment 1912549 [details]
Patch for exim-greylist.conf.inc to add quote_sqlite

Description of problem:
In the upgrade of exim from 4.94 to 4.96, there is tainting of some additional variables. With the greylisting in the exim-greylist package, one of the INSERTs into the sqlite DB for greylisting tries to use a tainted value, generating a log entry in panic.log and a (permanent) rejection of the message.

Version-Release number of selected component (if applicable):
exim-greylist-4.96-2.fc35.x86_64


How reproducible:
Every time.

Steps to Reproduce:
1. Remote MTA attempts to deliver a message which triggers greylisting, according to whatever rules are configured in exim.conf

Actual results:
panic.log gets an entry like this:
2022-09-16 12:10:50 1oZ9FB-001PZ9-1c tainted search query is not properly quoted (ACL warn, /etc/exim/exim-greylist.conf.inc 116): INSERT INTO greylist VALUES ( 'bacSoGDjdDg7zSzZ1eYy', '1663325650', '2001:1243:567::1', 'example.com' );

Message is rejected.

Expected results:
Message is greylisted (and, if retried later, succeeds).

Additional info:
The attached patch seems to fix it.

Comment 1 Marcel Härri 2022-09-20 20:16:55 UTC

https://src.fedoraproject.org/rpms/exim/pull-request/14

Comment 2 Fedora Update System 2022-10-03 17:01:32 UTC

FEDORA-2022-50a71ba78c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-50a71ba78c

Comment 3 Fedora Update System 2022-10-03 17:02:00 UTC

FEDORA-2022-40ee7d9a64 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-40ee7d9a64

Comment 4 Fedora Update System 2022-10-03 17:02:38 UTC

FEDORA-2022-4f295d8374 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4f295d8374

Comment 5 Fedora Update System 2022-10-03 17:03:18 UTC

FEDORA-EPEL-2022-fa3d472c04 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-fa3d472c04

Comment 6 Fedora Update System 2022-10-03 17:03:58 UTC

FEDORA-EPEL-2022-0d7031d4ae has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-0d7031d4ae

Comment 7 Fedora Update System 2022-10-03 17:04:32 UTC

FEDORA-EPEL-2022-2ea6df27c0 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ea6df27c0

Comment 8 Fedora Update System 2022-10-04 00:27:57 UTC

FEDORA-EPEL-2022-0d7031d4ae has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-0d7031d4ae

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-10-04 00:33:35 UTC

FEDORA-EPEL-2022-2ea6df27c0 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ea6df27c0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-10-04 01:23:12 UTC

FEDORA-2022-50a71ba78c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-50a71ba78c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-50a71ba78c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-10-04 01:45:08 UTC

FEDORA-2022-40ee7d9a64 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-40ee7d9a64`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-40ee7d9a64

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2022-10-04 02:01:52 UTC

FEDORA-2022-4f295d8374 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-4f295d8374`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-4f295d8374

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2022-10-04 02:25:51 UTC

FEDORA-EPEL-2022-fa3d472c04 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-fa3d472c04

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2022-10-11 10:28:47 UTC

FEDORA-EPEL-2022-0d7031d4ae has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Fedora Update System 2022-10-11 10:33:16 UTC

FEDORA-EPEL-2022-2ea6df27c0 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Fedora Update System 2022-10-11 10:53:35 UTC

FEDORA-EPEL-2022-fa3d472c04 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Fedora Update System 2022-10-11 11:13:03 UTC

FEDORA-2022-4f295d8374 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 18 Fedora Update System 2022-10-11 11:32:50 UTC

FEDORA-2022-40ee7d9a64 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 19 Fedora Update System 2022-11-10 22:30:23 UTC

FEDORA-2022-90e08c08e6 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.