]> git.pld-linux.org Git - packages/exim.git/blame - unofficial-hotfix.patch
- rel 26; official fixes for CVE-2023-42114, CVE-2023-42115, CVE-2023-42116. Still...
[packages/exim.git] / unofficial-hotfix.patch
CommitLineData
05c80ef3
AM
1Date: Sun, 1 Oct 2023 11:33:26 +0200\r
2To: exim-dev@lists.exim.org\r
3From: Florian Zumbiehl via Exim-dev <exim-dev@lists.exim.org>\r
4\r
5Hi,\r
6\r
7below you find a patch that fixes some (probably three?) of what I guess are\r
8the vulnerabilities reported by ZDI.\r
9\r
10Please note that the patch is only mildly tested, it is developed based on\r
11the git master branch, but can be applied to older versions with minor\r
12massaging. If you go back far enough, proxy.c was part of smtp_in.c, but if\r
13you adjust for that, the patch can be made to apply there, too.\r
14\r
15Obviously, I have no idea whether this actually addresses what ZDI has\r
16reported, but if not, these probably should be fixed, too, and if so, given\r
17the fact that I managed to rather easily find these vulnerabilities based\r
18on the information that's publicly available, I don't think there is much\r
19point to trying to keep this secret any longer--if anything, it's\r
20counterproductive.\r
21\r
22Also mind you that this is a hot fix, it's neither elegant, nor does it do\r
23any useful error reporting, the goal was simply to prevent out of bounds\r
24accesses.\r
25\r
26Florian\r
27\r
28---\r
29\r
30diff --git a/src/src/auths/external.c b/src/src/auths/external.c\r
31index 078aad0..54966e6 100644\r
32--- a/src/src/auths/external.c\r
33+++ b/src/src/auths/external.c\r
34@@ -101,6 +101,9 @@ if (expand_nmax == 0) /* skip if rxd data */\r
35 if ((rc = auth_prompt(CUS"")) != OK)\r
36 return rc;\r
37 \r
38+if (expand_nmax != 1)\r
39+ return FAIL;\r
40+\r
41 if (ob->server_param2)\r
42 {\r
43 uschar * s = expand_string(ob->server_param2);\r
05c80ef3
AM
44diff --git a/src/src/proxy.c b/src/src/proxy.c\r
45index fbce111..8dd7034 100644\r
46--- a/src/src/proxy.c\r
47+++ b/src/src/proxy.c\r
48@@ -93,6 +93,8 @@ while (capacity > 0)\r
49 do { ret = read(fd, to, 1); } while (ret == -1 && errno == EINTR && !had_command_timeout);\r
50 if (ret == -1)\r
51 return -1;\r
52+ if (!ret)\r
53+ break;\r
54 have++;\r
55 if (last)\r
56 return have;\r
57@@ -254,6 +256,8 @@ if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))\r
58 goto proxyfail;\r
59 }\r
60 \r
61+ if (ret < 16)\r
62+ goto proxyfail;\r
63 /* The v2 header will always be 16 bytes per the spec. */\r
64 size = 16 + ntohs(hdr.v2.len);\r
65 DEBUG(D_receive) debug_printf("Detected PROXYv2 header, size %d (limit %d)\n",\r
66@@ -274,7 +278,7 @@ if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))\r
67 {\r
68 retmore = read(fd, (uschar*)&hdr + ret, size-ret);\r
69 } while (retmore == -1 && errno == EINTR && !had_command_timeout);\r
70- if (retmore == -1)\r
71+ if (retmore < 1)\r
72 goto proxyfail;\r
73 DEBUG(D_receive) proxy_debug(US &hdr, ret, ret + retmore);\r
74 ret += retmore;\r
75@@ -297,6 +301,8 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)\r
76 switch (hdr.v2.fam)\r
77 {\r
78 case 0x11: /* TCPv4 address type */\r
79+ if (ret < 28)\r
80+ goto proxyfail;\r
81 iptype = US"IPv4";\r
82 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;\r
83 inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));\r
84@@ -323,6 +329,8 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)\r
85 proxy_external_port = tmpport;\r
86 goto done;\r
87 case 0x21: /* TCPv6 address type */\r
88+ if (ret < 52)\r
89+ goto proxyfail;\r
90 iptype = US"IPv6";\r
91 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);\r
92 inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));\r
93@@ -381,10 +389,13 @@ else if (ret >= 8 && memcmp(hdr.v1.line, "PROXY", 5) == 0)\r
94 goto proxyfail;\r
95 ret += r2;\r
96 \r
97+ if(ret > 107)\r
98+ goto proxyfail;\r
99+ hdr.v1.line[ret] = 0;\r
100 p = string_copy(hdr.v1.line);\r
101 end = memchr(p, '\r', ret - 1);\r
102 \r
103- if (!end || (end == (uschar*)&hdr + ret) || end[1] != '\n')\r
104+ if (!end || end[1] != '\n')\r
105 {\r
106 DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");\r
107 goto proxyfail;\r
108\r
109-- \r
110## subscription configuration (requires account):\r
111## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/\r
112## unsubscribe (doesn't require an account):\r
113## exim-dev-unsubscribe@lists.exim.org\r
114## Exim details at http://www.exim.org/\r
115## Please use the Wiki with this list - http://wiki.exim.org/\r
This page took 0.082305 seconds and 4 git commands to generate.