Bug 702474 - (CVE-2011-1764) CVE-2011-1764 exim: improper format string handling in DKIM signatures
CVE-2011-1764 exim: improper format string handling in DKIM signatures
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110429,reported=20110505,sou...
: Security
Depends On: 702475 705448
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-05 14:40 EDT by Vincent Danen
Modified: 2012-08-10 14:36 EDT (History)
4 users (show)

See Also:
Fixed In Version: exim 4.76
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-10 14:36:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-05-05 14:40:26 EDT
It was reported [1],[2] that Exim would improperly interpret '%' in a DKIM (DomainKeys Identified Mail) signature, which would get logged to the paniclog.  It is possible that using '%n' in the DKIM signature could be used to verwrite stack data, which could cause Exim to crash.

DKIM support has been in Exim since version 4.70.

A fix has been pushed upstream [3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624670
[2] http://bugs.exim.org/show_bug.cgi?id=1106
[3] http://git.exim.org/exim.git/commitdiff/337e3505b0e6cd4309db6bf6062b33fa56e06cf8


Statement:

Not vulnerable. This issue did not affect the versions of exim as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for DKIM.
Comment 1 Vincent Danen 2011-05-05 14:41:13 EDT
Created exim tracking bugs for this issue

Affects: fedora-all [bug 702475]
Comment 2 Josh Bressers 2011-05-05 14:49:35 EDT
A workaround is to add "control = dkim_disable_verify" to an ACL to prevent processing DKIM signatures.
Comment 3 Vincent Danen 2011-05-17 13:54:24 EDT
Created exim tracking bugs for this issue

Affects: epel-6 [bug 705448]
Comment 4 Vincent Danen 2012-08-10 14:23:54 EDT
According to:

http://wiki.exim.org/EximSecurity

This was resolved in upstream 4.76.  Current supported versions of Fedora provide 4.76, however EPEL6 still provides 4.72 and is still vulnerable.
Comment 5 Vincent Danen 2012-08-10 14:36:33 EDT
It seems that EPEL6 did fix this, but incorrectly noted the wrong CVE:

exim-4.72-0003-CVE-2011-1407.patch is from the git commit above, so it actually fixes CVE-2011-1764 and _not_ CVE-2011-1407 as the patch name and changelog implied.

Note You need to log in before you can comment on or make changes to this bug.