summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'exim-4.92.3+fixes+qualys' into exim-4.92.3+fixesexim-4.92.3+fixesHeiko Schlittermann (HS12-RIPE)2021-05-0139-351/+799
|\ | | | | | | | | | | | | | | Backported from 4.94.2 - minimal set of Qualys patches where appliciable - cherry-picks for other patches Testsuite (using GNUTLS) has the same failures as 4.92.3+fixes
| * Fix BDAT issue for body w/o trailing CRLF (again Bug 1974)Heiko Schlittermann (HS12-RIPE)2021-05-011-0/+1
| | | | | | | | (cherry picked from commit 919111edac911ba9c15422eafd7c5bf14d416d26)
| * testsuite: reproduce BDAT with missing eol (Bug 1974)Heiko Schlittermann (HS12-RIPE)2021-05-013-10/+73
| | | | | | | | (cherry picked from commit e9cecc465a570c1a4f34b199eae6bdd0a52ee2b0)
| * testsuite: adjustments for CVE-2020-28014, CVE-2021-27216 (Arbitrary PID ↵Heiko Schlittermann (HS12-RIPE)2021-05-012-56/+0
| | | | | | | | file creation)
| * CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, and ↵Heiko Schlittermann (HS12-RIPE)2021-05-014-21/+232
| | | | | | | | | | | | | | | | | | | | deletion Arbitrary PID file creation, clobbering, and deletion. Patch provided by Qualys. (cherry picked from commit 974f32939a922512b27d9f0a8a1cb5dec60e7d37) (cherry picked from commit 43c6f0b83200b7082353c50187ef75de3704580a)
| * testsuite: adjustments for CVE-2020-28008 (spool dir attacks)Heiko Schlittermann (HS12-RIPE)2021-05-019-9/+0
| |
| * CVE-2020-28008: Assorted attacks in Exim's spool directoryHeiko Schlittermann (HS12-RIPE)2021-04-3011-54/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | We patch dbfn_open() by introducing two functions priv_drop_temp() and priv_restore() (inspired by OpenSSH's functions temporarily_use_uid() and restore_uid()), which temporarily drop and restore root privileges thanks to seteuid(). This goes against Exim's developers' wishes ("Exim (the project) doesn't trust seteuid to work reliably") but, to the best of our knowledge, seteuid() works everywhere and is the only way to securely fix dbfn_open(). (cherry picked from commit 18da59151dbafa89be61c63580bdb295db36e374) (cherry picked from commit b05dc3573f4cd476482374b0ac0393153d344338)
| * CVE-2020-28007: Link attack in Exim's log directoryQualys Security Advisory2021-04-305-182/+234
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We patch this vulnerability by opening (instead of just creating) the log file in an unprivileged (exim) child process, and by passing this file descriptor back to the privileged (root) parent process. The two functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's functions mm_send_fd() and mm_receive_fd(); thanks! This patch also fixes: - a NULL-pointer dereference in usr1_handler() (this signal handler is installed before process_log_path is initialized); - a file-descriptor leak in dmarc_write_history_file() (two return paths did not close history_file_fd). Note: the use of log_open_as_exim() in dmarc_write_history_file() should be fine because the documentation explicitly states "Make sure the directory of this file is writable by the user exim runs as." (cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd) (cherry picked from commit 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a)
| * CVE-2020-28019: Failure to reset function pointer after BDAT errorQualys Security Advisory2021-04-303-9/+48
| | | | | | | | | | Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy Harris's commits aa171254 and 9aceb5c2.
| * Security: Avoid modification of constant data in dkim handlingQualys Security Advisory2021-04-301-9/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on Heiko Schlittermann's commits f880c7f3 and c118c7f4. This fixes: 6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called with a global orig_data and hence canon_data, and the following line can therefore modify data that should be constant: 773 canon_data->len = b->bodylength - b->signed_body_bytes; For example, the following proof of concept sets lineending.len to 0 (this should not be possible): (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25 (gdb) print lineending $1 = {data = 0x55e18035b2ad "\r\n", len = 2} (gdb) print &lineending.len $3 = (size_t *) 0x55e180385948 <lineending+8> (gdb) watch *(size_t *) 0x55e180385948 Hardware watchpoint 1: *(size_t *) 0x55e180385948 Old value = 2 New value = 0 (gdb) print lineending $5 = {data = 0x55e18035b2ad "\r\n", len = 0}
| * Security: Leave a clean smtp_out input buffer even in case of read errorQualys Security Advisory2021-04-301-2/+4
| | | | | | | | | | | | | | | | Based on Heiko Schlittermann's commit 54895bc3. This fixes: 7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated when -1 is returned. This does not seem to have bad consequences, but is maybe not the intended behavior.
| * Security: Avoid decrement of dkim_collect_input if already at 0Qualys Security Advisory2021-04-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on Heiko Schlittermann's commit bf2d6e58. This fixes: 5/ receive_msg() calls dkim_exim_verify_finish(), which sets dkim_collect_input to 0 and calls pdkim_feed_finish(), which calls pdkim_header_complete(), which decreases dkim_collect_input to UINT_MAX, which reactivates the DKIM code. As a result, pdkim_feed() is called again (through receive_getc at the end of receive_msg()), but functions like pdkim_finish_bodyhash() and exim_sha_finish() have already been called (in pdkim_feed_finish()). This suggests a use-after-free. But it seems that a use-after-free would happen only with EVP_DigestFinal() (in exim_sha_finish()), which does not seem to be reachable via DKIM (no SHA3). But we checked OpenSSL only, not GnuTLS. Here is a proof of concept that triggers the bug (which came very close to a security vulnerability): (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'BDAT 42 LAST'; date >&2; sleep 30; printf 'not a valid header line\r\n DKIM-Signature:\r\nXXX'; sleep 30) | nc -n -v 192.168.56.102 25 (gdb) print &dkim_collect_input $2 = (unsigned int *) 0x55e180386d90 <dkim_collect_input> (gdb) watch *(unsigned int *) 0x55e180386d90 Hardware watchpoint 1: *(unsigned int *) 0x55e180386d90 Old value = 0 New value = 4294967295 #0 0x000055e18031f805 in pdkim_header_complete (ctx=ctx@entry=0x55e181b9e8e0) at pdkim.c:1006 #1 0x000055e18032106c in pdkim_feed_finish (ctx=0x55e181b9e8e0, return_signatures=0x55e180386d78 <dkim_signatures>, err=err@entry=0x7ffe443e1d00) at pdkim.c:1490 #2 0x000055e1802a3280 in dkim_exim_verify_finish () at dkim.c:328 #3 0x000055e1802c9d1d in receive_msg (extract_recip=extract_recip@entry=0) at receive.c:3409
| * Security: Fix off-by-one in smtp transport (read response)Qualys Security Advisory2021-04-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on Heiko Schlittermann's commit 1887a160. This fixes: 1/ In src/transports/smtp.c: 2281 int n = sizeof(sx->buffer); 2282 uschar * rsp = sx->buffer; 2283 2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2) 2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; } This should probably be either: rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1; or: rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; (not sure which) to avoid an off-by-one.
| * Security: Always exit when LOG_PANIC_DIE is setQualys Security Advisory2021-04-301-0/+1
| |
| * Security: Check overrun rcpt_count integerQualys Security Advisory2021-04-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on Heiko Schlittermann's commit e5cb5e61. This fixes: 4/ In src/smtp_in.c: 4966 case RCPT_CMD: 4967 HAD(SCH_RCPT); 4968 rcpt_count++; .... 5123 if (rcpt_count > recipients_max && recipients_max > 0) In theory this recipients_max check can be bypassed, because the int rcpt_count can overflow (become negative). In practice this would either consume too much memory or generate too much network traffic, but maybe it should be fixed anyway.
| * Security: Safeguard against relative names for msglog files.Qualys Security Advisory2021-04-301-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on Heiko Schlittermann's commit 4f0ac4ad. This fixes: 3/ In src/deliver.c: 333 static int 334 open_msglog_file(uschar *filename, int mode, uschar **error) 335 { 336 if (Ustrstr(filename, US"/../")) 337 log_write(0, LOG_MAIN|LOG_PANIC, 338 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename); Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log the /../ attempt but will open the file anyway.
| * CVE-2020-28012: Missing close-on-exec flag for privileged pipeQualys Security Advisory2021-04-301-0/+4
| |
| * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()Qualys Security Advisory2021-04-302-0/+6
| |
| * CVE-2020-28009: Integer overflow in get_stdinput()Qualys Security Advisory2021-04-301-1/+22
| |
| * CVE-2020-28015+28021: New-line injection into spool header fileQualys Security Advisory2021-04-301-4/+17
| |
| * CVE-2020-28026: Line truncation and injection in spool_read_header()Qualys Security Advisory2021-04-301-15/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also fixes: 2/ In src/spool_in.c: 462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1 463 && big_buffer[len-1] != '\n' 464 ) 465 { /* buffer not big enough for line; certs make this possible */ 466 uschar * buf; 467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR; 468 buf = store_get_perm(big_buffer_size *= 2, FALSE); 469 memcpy(buf, big_buffer, --len); The --len in memcpy() chops off a useful byte (we know for sure that big_buffer[len-1] is not a '\n' because we entered the while loop).
| * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()Qualys Security Advisory2021-04-301-7/+13
| | | | | | | | Based on Phil Pennock's commit c5017adf.
| * CVE-2020-28017: Integer overflow in receive_add_recipient()Qualys Security Advisory2021-04-301-2/+8
| | | | | | | | Based on Phil Pennock's commit e3b441f7.
| * Security: Refuse negative and large store allocationsQualys Security Advisory2021-04-301-1/+28
| | | | | | | | Based on Phil Pennock's commits b34d3046 and e6c1606a.
| * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()Qualys Security Advisory2021-04-301-3/+6
| | | | | | | | Based on Phil Pennock's commit 8a50c88a.
| * CVE-2020-28011: Heap buffer overflow in queue_run()Qualys Security Advisory2021-04-301-4/+10
| |
| * CVE-2020-28010: Heap out-of-bounds write in main()Qualys Security Advisory2021-04-301-5/+6
| | | | | | | | Based on Phil Pennock's commit 0f57feb4.
| * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()Qualys Security Advisory2021-04-303-3/+5
| | | | | | | | Extracted from Jeremy Harris's commit afaf5a50.
| * CVE-2020-28018: Use-after-free in tls-openssl.cQualys Security Advisory2021-04-301-4/+0
| |
| * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()Qualys Security Advisory2021-04-301-3/+3
|/
* CHUNKING: fix all-RCPTs-rejected, non-pipelined. Bug 2454Jeremy Harris2019-10-195-25/+75
| | | | (cherry picked from commit c5040dfdb523ce2a14efbdfa0d3eb69d3afef65a)
* Fix errorcheck in smtp transportJeremy Harris2019-10-121-1/+1
|
* Testsuite: avoid picking 0.0.0.0 as the HOSTIPV4; permit 10.0/8 apart from ↵Jeremy Harris2019-09-292-2/+4
| | | | | | | | | | | 10.250.0/16 Solaris leaves 0.0.0.0 lying around (for not-UP interfaces) The suite only needs testspace under 10.250.0/16 so we can permit the ret, making testing on many NATted 10.0/8 subnets possible. (cherry picked from commit 5c03403d88afcde2bb3f543296b0fca6f05c9f2c) (cherry picked from commit bcbca153505de435c881e71297fde83c3ac02cc1)
* fixup! exim_dbmbuild: handle { '\\', '\0' } sequence.Heiko Schlittermann (HS12-RIPE)2019-09-291-1/+1
| | | | | | Credits to Qualys for double checking and reporting. (cherry picked from commit cdc7f9a9667ecf31d803fc8d1a31b466284360bd)
* exim_dbmbuild: handle { '\\', '\0' } sequence.Heiko Schlittermann (HS12-RIPE)2019-09-291-0/+1
| | | | | | | | | | This fix matches the change introduced for CVE-2019-15846, but isn't considered as a security issue, exim_dbmbuild is not designed to to run on untrusted data. Thanks to Thomas Hoger (RedHat) for pointing out. (cherry picked from commit 66935633816a88460f5222f40dc29d1a4e877978)
* Fix ${domain:} for a bare local-part input. Bug 2375Jeremy Harris2019-09-293-5/+10
| | | | | | | Broken-by: cebd5bd2ab (cherry picked from commit c5b0340697326238b0e2afd9d341185077d60d35) (cherry picked from commit 92b922fae5bbd5a70da4c5aa2f43a457842c30eb) (cherry picked from commit deda0b271ccd27ae76bd69ad1c1d0ef73e20091d)
* Auth: handle socket read errors in Dovecot authenticatorBruce Lee2019-09-291-2/+2
| | | | | | (cherry picked from commit c9f1be94cc304f0343c93b66efa41a747d307fb1) (cherry picked from commit 4ba26a040b8765dea7134c883d046418a8b053a1) (cherry picked from commit 2ac2eff3c9914a9c77b03db64b31819f361576b9)
* Fix crash after TLS channel shutdownJeremy Harris2019-09-293-52/+39
| | | | | | (cherry picked from commit bd231acd0f24e4c27c6d6885f48c24360700ec7f) (cherry picked from commit 513adf9d59bd8d9515a3c6b9c092a2c376cc6102) (cherry picked from commit c8535a954a3ec877083b39088f385ed3174abab7)
* Fix bounce generation under RFC 3461 request. Bug 2411Jeremy Harris2019-09-296-1/+105
| | | | | | | | Broken-by: ea97267cea (cherry picked from commit df98a6ff2e70887890690ffbf8a8ad583d7d7e38) (cherry picked from commit b4a37a77271a8f6efc887d68265eb7867eff6170) (cherry picked from commit 145416c70b2e4422f0ff03f402da33a4a4db29e2) (cherry picked from commit ee2d305425037fc3bc00e6e44e990a88a92433ab)
* Fix DSN Final-Recipient: fieldJeremy Harris2019-09-2916-50/+66
| | | | | | | | (cherry picked from commits 436bda2ac0c4 and 98d4eb7a84) (cherry picked from commit 6b88f51ac13b4fa834796ce12d12c55c95eacc4a) (cherry picked from commit ce4d8eca9d3940bb439cdb74a250090fee5538d4) (cherry picked from commit f41bc530a8b1a66e811e5c3b4da3df72ecba0e1d)
* Unbreak heimdal_gssapi auth driverPhil Pennock2019-09-292-2/+3
| | | | | | | | | | | | | Commit 251b9eb46 broke heimdal_gssapi by changing the function definition in the `.c` without changing the declaration in the `.h`. Was part of 4.92. Make corresponding `.h` change to reflect newer internal API. (cherry picked from commit 6ee110613402e8562c03b4a11c3ffbdbd47bd153) (cherry picked from commit 40fe3ea73eb7524a6143755854633ed8392d39b4) (cherry picked from commit 171adf11d72efb4781a3028a849e0ed6e521a4fa) (cherry picked from commit 250dc372cfb64dfb21db2e7bd67ed28822aa132d)
* Fix detection of 32b platform at build time. Bug 2405Jeremy Harris2019-09-293-73/+83
| | | | | | | (cherry picked from commit 26dd3aa007b3b77969610c031f59388e0953bd00) (cherry picked from commit da7f749864e0807f796b8fa19573484c92bdc5c2) (cherry picked from commit a8e52cc464c132b8c88718af4367a01538d65b5a) (cherry picked from commit d508b5ca595a418667a1ae10e6cadf48a901c6f3)
* Use dsn_from for success-DSN messages. Bug 2404Jeremy Harris2019-09-292-2/+6
| | | | | | | (cherry picked from commit 87abcb247b4444bab5fd0bcb212ddb26d5fd9191) (cherry picked from commit 454bab46ae6812e29652d10c390451c962a6f806) (cherry picked from commit 9eebb5a0ed51584c18af8b08a27695b806980775) (cherry picked from commit 09898a2fe75f7044f9f46bd01dcd0e2f22f61d0d)
* GnuTLS: fix the advertising of acceptable certs by the server. Bug 2389Jeremy Harris2019-09-292-0/+12
| | | | | | | (cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447) (cherry picked from commit 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4) (cherry picked from commit 7eb6988c118847820de130c9317f851983e0ba8b) (cherry picked from commit 7894bfc6ccf7157dc5d8a11e297fb71968dd2904)
* Fix listing a named queue by a non-admin user. Bug 2398Jeremy Harris2019-09-292-12/+17
| | | | | | | (cherry picked from commit e5903596a0) (cherry picked from commit affc23f0d27bfbca773094146d7e62872ed2895b) (cherry picked from commit 772e1c684e79465df71157cdccc57739bb841cae) (cherry picked from commit fbf6767e15a0367d3f3a8462bc3a87d96bf7b71a)
* GnuTLS: fix $tls_out_ocsp under hosts_request_ocspJeremy Harris2019-09-294-9/+16
| | | | | | | (cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941) (cherry picked from commit 5e64b73ef7cdaf20b998b3345a588b462fd30bfb) (cherry picked from commit 31700e5410af3d27654ff0a32c20d30b1a1e10c3) (cherry picked from commit 6712694eae57a7d3544c6f0d8a6c03cd246fdb48)
* Testsuite: GnuTLS version variancesJeremy Harris2019-09-293-16/+8
| | | | | | | (cherry picked from commit e20c4072da517616060d7a6e899b42f65ded4fb0) (cherry picked from commit 4a7269057fc3bfcb5b19376725431610407e67bc) (cherry picked from commit d1e5e96dd46f68ee04eb27995c026d5f9ae226f6) (cherry picked from commit 5453f5d161ce9cc59b496665e7c2d0982d3e3574)
* Testsuite: avoid recent-perl feature useJeremy Harris2019-09-291-1/+1
| | | | | | | (cherry picked from commit 6010e708237477b8fab5fbed0a972a937d89fc56) (cherry picked from commit d4e985be7a3789aa84fb51a0523fc13c7cdff889) (cherry picked from commit 904909a0f772b918d3ea4fcb600a7b4d6b647bdf) (cherry picked from commit c3d8edaf31b087d4850433f42e9c1eb544640043)
* GnuTLS 3.6.7 cipher stringsJeremy Harris2019-09-295-29/+89
| | | | | | | | | | (cherry picked from commits d9acfc1ce6, 57eb2f6463, b9c6f63cd5) WARNING: This changes user-visible and configuration-visible behaviour. Read the ChangeLog! (cherry picked from commit 656b804e099a4704bd6071241a85bc1e0cc85887) (cherry picked from commit bf9375eaa85bfa0dbb973aa03accbe5f21808732) (cherry picked from commit d3a0dde57754d2b434957c126e1a22e2094cbbf1)
* Testsuite: output changes resultingJeremy Harris2019-09-291-1/+1
| | | | | | | | Broken-by: 67ea939cf0 (cherry picked from commit 42e0d3fe36ac7270609a3389f5204a252bcf7d79) (cherry picked from commit 62e8cac93cff841d8d657363ece7a4367ccc94b3) (cherry picked from commit abcd3b69cb147bb6206d5a7013b27909c1e0288a) (cherry picked from commit 0fca1008dd8d9eecdb6218a4d4ea0f7bfe29502c)
View Lorry Controller Status