ports/156872: [SECURITY-UPDATE] mail/exim: patch for remote code execution vulnerability (CVE-2011-1764)
Alexander Wittig
alexander at wittig.name
Sat May 7 22:00:19 UTC 2011
>Number: 156872
>Category: ports
>Synopsis: [SECURITY-UPDATE] mail/exim: patch for remote code execution vulnerability (CVE-2011-1764)
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sat May 07 22:00:19 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Alexander Wittig
>Release: 8.2 Stable
>Organization:
>Environment:
FreeBSD hotzenplotz.wittig.name 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Apr 9 18:46:35 CEST 2011 root at hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX amd64
>Description:
CVE-2011-1764: Exim's DKIM code interprets arbitrary strings provided in (correct) DKIM headers as C format strings, which very likely allows arbitrary remote code execution. See https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html for details.
The attached patch will correct this error and is taken directly from the GIT repository given in the above message (http://git.exim.org/exim.git/commitdiff_plain/337e3505b0e6cd4309db6bf6062b33fa56e06cf8).
There will quite likely be a security release of exim version 4.76 very soon ("before Monday"), so it may not be worth the effort to put in this patch before that. However, there should be a VUXML entry for this in any case.
>How-To-Repeat:
Install exim
>Fix:
Place the attached patch (patch-src::dkim.c), taken from the above source, in the files directory. That'll fix this vulnerability.
Patch attached with submission follows:
--- src/dkim.c
+++ src/dkim.c
@@ -108,7 +108,7 @@ void dkim_exim_verify_finish(void) {
/* Log a line for each signature */
uschar *logmsg = string_append(NULL, &size, &ptr, 5,
- string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
+ string_sprintf( "d=%s s=%s c=%s/%s a=%s ",
sig->domain,
sig->selector,
(sig->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
@@ -176,7 +176,7 @@ void dkim_exim_verify_finish(void) {
}
logmsg[ptr] = '\0';
- log_write(0, LOG_MAIN, (char *)logmsg);
+ log_write(0, LOG_MAIN, "DKIM: %s", logmsg);
/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
dkim_signers = string_append(dkim_signers,
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list