Date: Sat, 7 May 2011 21:58:06 GMT From: Alexander Wittig <alexander@wittig.name> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/156872: [SECURITY-UPDATE] mail/exim: patch for remote code execution vulnerability (CVE-2011-1764) Message-ID: <201105072158.p47Lw6dL016731@red.freebsd.org> Resent-Message-ID: <201105072200.p47M0JpA085735@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 156872 >Category: ports >Synopsis: [SECURITY-UPDATE] mail/exim: patch for remote code execution vulnerability (CVE-2011-1764) >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat May 07 22:00:19 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Alexander Wittig >Release: 8.2 Stable >Organization: >Environment: FreeBSD hotzenplotz.wittig.name 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Apr 9 18:46:35 CEST 2011 root@hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX amd64 >Description: CVE-2011-1764: Exim's DKIM code interprets arbitrary strings provided in (correct) DKIM headers as C format strings, which very likely allows arbitrary remote code execution. See https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html for details. The attached patch will correct this error and is taken directly from the GIT repository given in the above message (http://git.exim.org/exim.git/commitdiff_plain/337e3505b0e6cd4309db6bf6062b33fa56e06cf8). There will quite likely be a security release of exim version 4.76 very soon ("before Monday"), so it may not be worth the effort to put in this patch before that. However, there should be a VUXML entry for this in any case. >How-To-Repeat: Install exim >Fix: Place the attached patch (patch-src::dkim.c), taken from the above source, in the files directory. That'll fix this vulnerability. Patch attached with submission follows: --- src/dkim.c +++ src/dkim.c @@ -108,7 +108,7 @@ void dkim_exim_verify_finish(void) { /* Log a line for each signature */ uschar *logmsg = string_append(NULL, &size, &ptr, 5, - string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ", + string_sprintf( "d=%s s=%s c=%s/%s a=%s ", sig->domain, sig->selector, (sig->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed", @@ -176,7 +176,7 @@ void dkim_exim_verify_finish(void) { } logmsg[ptr] = '\0'; - log_write(0, LOG_MAIN, (char *)logmsg); + log_write(0, LOG_MAIN, "DKIM: %s", logmsg); /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */ dkim_signers = string_append(dkim_signers, >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105072158.p47Lw6dL016731>