ports/156872: [SECURITY-UPDATE] mail/exim: patch for remote code execution vulnerability (CVE-2011-1764)

Sat May 7 22:00:19 UTC 2011

>Number:         156872
>Category:       ports
>Synopsis:       [SECURITY-UPDATE] mail/exim: patch for remote code execution vulnerability (CVE-2011-1764)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 07 22:00:19 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Wittig
>Release:        8.2 Stable
>Organization:
>Environment:
FreeBSD hotzenplotz.wittig.name 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Apr  9 18:46:35 CEST 2011     root at hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX  amd64

>Description:
CVE-2011-1764: Exim's DKIM code interprets arbitrary strings provided in (correct) DKIM headers as C format strings, which very likely allows arbitrary remote code execution. See https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html for details.

The attached patch will correct this error and is taken directly from the GIT repository given in the above message (http://git.exim.org/exim.git/commitdiff_plain/337e3505b0e6cd4309db6bf6062b33fa56e06cf8).

There will quite likely be a security release of exim version 4.76 very soon ("before Monday"), so it may not be worth the effort to put in this patch before that. However, there should be a VUXML entry for this in any case.

>How-To-Repeat:
Install exim
>Fix:
Place the attached patch (patch-src::dkim.c), taken from the above source, in the files directory. That'll fix this vulnerability.

Patch attached with submission follows:

--- src/dkim.c
+++ src/dkim.c
@@ -108,7 +108,7 @@ void dkim_exim_verify_finish(void) {
     /* Log a line for each signature */
     uschar *logmsg = string_append(NULL, &size, &ptr, 5,
 
-      string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
+      string_sprintf( "d=%s s=%s c=%s/%s a=%s ",
                       sig->domain,
                       sig->selector,
                       (sig->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
@@ -176,7 +176,7 @@ void dkim_exim_verify_finish(void) {
     }
 
     logmsg[ptr] = '\0';
-    log_write(0, LOG_MAIN, (char *)logmsg);
+    log_write(0, LOG_MAIN, "DKIM: %s", logmsg);
 
     /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
     dkim_signers = string_append(dkim_signers,



>Release-Note:
>Audit-Trail:
>Unformatted:

