Red Hat Bugzilla – Bug 44077
local printf format attack in exim-3.22-10
Last modified: 2008-05-01 11:38:00 EDT
has the same format string problem
as one found in Debian (which has exim-3.12)
The relevant part of Debian patch seems is
@@ -2449,7 +2449,7 @@
nothing on success. The function moan_smtp_batch() does not return -
it exits from the program with a non-zero return code. */
- else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);
+ else if (smtp_reply != NULL) moan_smtp_batch(NULL, "%s", smtp_reply);
/* Reset headers so that logging of rejects for a subsequent message
Thanks, I saw this.
The maintainer has indicated that this vulnerability is local only, and is not
triggered by SMTP with external sites.
This is fixed in exim-3.22-14.