44077 – local printf format attack in exim-3.22-10

Bug 44077 - local printf format attack in exim-3.22-10

Summary: local printf format attack in exim-3.22-10

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Powertools
Classification:	Retired
Component:	exim
Sub Component:
Version:	7.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tim Waugh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-06-11 01:19 UTC by Need Real Name
Modified:	2008-05-01 15:38 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2001-06-11 14:46:13 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2001:078	0	high	SHIPPED_LIVE	: Format string bug fixed in exim	2001-06-11 04:00:00 UTC

Description Need Real Name 2001-06-11 01:19:41 UTC

The exim-3.22-10

has the same format string problem 
as one found in Debian	(which has exim-3.12)
http://lwn.net/daily/deb-exim.php3

The relevant part of Debian patch seems is
--- exim-3.12.orig/src/accept.c
+++ exim-3.12/src/accept.c
@@ -2449,7 +2449,7 @@
   nothing on success. The function moan_smtp_batch() does not return -
   it exits from the program with a non-zero return code. */
 
-  else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);
+  else if (smtp_reply != NULL) moan_smtp_batch(NULL, "%s", smtp_reply);
   }
 
 /* Reset headers so that logging of rejects for a subsequent message
doesn't
--- exim-3.12.orig/src/configure.default

Comment 1 Tim Waugh 2001-06-11 08:14:52 UTC

Thanks, I saw this.

Comment 2 Tim Waugh 2001-06-11 14:46:09 UTC

The maintainer has indicated that this vulnerability is local only, and is not 
triggered by SMTP with external sites.

Comment 3 Tim Waugh 2001-06-26 12:16:05 UTC

This is fixed in exim-3.22-14.

Note You need to log in before you can comment on or make changes to this bug.