diff options
| author | Phil Pennock <phil+git@pennock-tech.com> | 2020-10-29 11:47:58 -0400 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:19 +0200 |
| commit | 6d2cfb575c95c1b81597d6b9eb2904cd695d7e4a (patch) | |
| tree | b9b310a4bf82e54ce9977ed253ede00f2a3d4a6c | |
| parent | 7a7136ba7f5c2db33c7e320ffd4675335c4557e5 (diff) | |
| download | exim4-6d2cfb575c95c1b81597d6b9eb2904cd695d7e4a.tar.gz | |
SECURITY: fix Qualys CVE-2020-SLCWD
(cherry picked from commit bf5f9d56fadf9be8d947f141d31f7e0e8fa63762)
| -rw-r--r-- | doc/doc-txt/ChangeLog | 8 | ||||
| -rw-r--r-- | src/src/exim.c | 6 | ||||
| -rw-r--r-- | src/src/macros.h | 14 |
3 files changed, 19 insertions, 9 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 7dbccb788..7ed412ea9 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -174,12 +174,12 @@ PP/02 Bug 2643: Correct TLS DH constants. incorrect Diffie-Hellman constants in the Exim source. Reported by kylon94, code-gen tool fix by Simon Arlott. -PP/03 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX - better. Reported by Qualys. - -PP/04 Impose security length checks on various command-line options. +PP/03 Impose security length checks on various command-line options. Fixes CVE-2020-SPRSS reported by Qualys. +PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX + better. Reported by Qualys. + Exim version 4.94 ----------------- diff --git a/src/src/exim.c b/src/src/exim.c index 34159da93..067c47f80 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -3828,7 +3828,13 @@ during readconf_main() some expansion takes place already. */ /* Store the initial cwd before we change directories. Can be NULL if the dir has already been unlinked. */ +errno = 0; initial_cwd = os_getcwd(NULL, 0); +if (!initial_cwd && errno) + exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno)); + +if (initial_cwd && (strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE)) + exim_fail("exim: initial cwd is far too long (%d)\n", Ustrlen(CCS initial_cwd)); /* checking: -be[m] expansion test - diff --git a/src/src/macros.h b/src/src/macros.h index cebbf4085..f83ba1933 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -153,7 +153,9 @@ enough to hold all the headers from a normal kind of message. */ /* The initial size of a big buffer for use in various places. It gets put into big_buffer_size and in some circumstances increased. It should be at least -as long as the maximum path length. */ +as long as the maximum path length PLUS room for string additions. +Let's go with "at least twice as large as maximum path length". +*/ #ifdef AUTH_HEIMDAL_GSSAPI /* RFC 4121 section 5.2, SHOULD support 64K input buffers */ @@ -162,10 +164,12 @@ as long as the maximum path length. */ # define __BIG_BUFFER_SIZE 16384 #endif -#if defined PATH_MAX && PATH_MAX > __BIG_BUFFER_SIZE -# define BIG_BUFFER_SIZE PATH_MAX -#elif defined MAXPATHLEN && MAXPATHLEN > __BIG_BUFFER_SIZE -# define BIG_BUFFER_SIZE MAXPATHLEN +#ifndef PATH_MAX +/* exim.h will have ensured this exists before including us. */ +# error headers confusion, PATH_MAX missing in macros.h +#endif +#if (PATH_MAX*2) > __BIG_BUFFER_SIZE +# define BIG_BUFFER_SIZE (PATH_MAX*2) #else # define BIG_BUFFER_SIZE __BIG_BUFFER_SIZE #endif |