Bug 702474 (CVE-2011-1764) - CVE-2011-1764 exim: improper format string handling in DKIM signatures
Summary: CVE-2011-1764 exim: improper format string handling in DKIM signatures
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2011-1764
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 702475 705448
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-05 18:40 UTC by Vincent Danen
Modified: 2021-02-24 15:30 UTC (History)
4 users (show)

Fixed In Version: exim 4.76
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-10 18:36:33 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2011-05-05 18:40:26 UTC
It was reported [1],[2] that Exim would improperly interpret '%' in a DKIM (DomainKeys Identified Mail) signature, which would get logged to the paniclog.  It is possible that using '%n' in the DKIM signature could be used to verwrite stack data, which could cause Exim to crash.

DKIM support has been in Exim since version 4.70.

A fix has been pushed upstream [3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624670
[2] http://bugs.exim.org/show_bug.cgi?id=1106
[3] http://git.exim.org/exim.git/commitdiff/337e3505b0e6cd4309db6bf6062b33fa56e06cf8


Statement:

Not vulnerable. This issue did not affect the versions of exim as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for DKIM.

Comment 1 Vincent Danen 2011-05-05 18:41:13 UTC
Created exim tracking bugs for this issue

Affects: fedora-all [bug 702475]

Comment 2 Josh Bressers 2011-05-05 18:49:35 UTC
A workaround is to add "control = dkim_disable_verify" to an ACL to prevent processing DKIM signatures.

Comment 3 Vincent Danen 2011-05-17 17:54:24 UTC
Created exim tracking bugs for this issue

Affects: epel-6 [bug 705448]

Comment 4 Vincent Danen 2012-08-10 18:23:54 UTC
According to:

http://wiki.exim.org/EximSecurity

This was resolved in upstream 4.76.  Current supported versions of Fedora provide 4.76, however EPEL6 still provides 4.72 and is still vulnerable.

Comment 5 Vincent Danen 2012-08-10 18:36:33 UTC
It seems that EPEL6 did fix this, but incorrectly noted the wrong CVE:

exim-4.72-0003-CVE-2011-1407.patch is from the git commit above, so it actually fixes CVE-2011-1764 and _not_ CVE-2011-1407 as the patch name and changelog implied.


Note You need to log in before you can comment on or make changes to this bug.