[From nobody Sat Apr 25 13:07:05 2026 Received: (at submit) by bugs.debian.org; 12 Feb 2026 21:36:28 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,FOURLA, HAS_PACKAGE,HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS, XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 90; hammy, 150; neutral, 279; spammy, 0. spammytokens: hammytokens:0.000-+--sk:taint_o, 0.000-+--sk:TAINT_O, 0.000-+--sk:taint_u, 0.000-+--sk:TAINT_U, 0.000-+--HTo:N*Debian Return-path: <bounce.None@return.smtpcorp.com> Received: from a4i606.smtp2go.com ([158.120.82.94]:56111) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <bounce.None@return.smtpcorp.com>) id 1vqeML-005msh-2U for submit@bugs.debian.org; Thu, 12 Feb 2026 21:36:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtpservice.net; i=@smtpservice.net; q=dns/txt; s=a1-4; t=1770931144; h=feedback-id : x-smtpcorp-track : date : message-id : to : subject : from : reply-to : sender : list-unsubscribe : list-unsubscribe-post; bh=c1wUHsQSo2w0RRSi/UFpDv2Tx6tmPfqT/SXHsuAPUfc=; b=q/0Phh0+1KC+QGRrMm8f9G4ZMsI7UkuckS+R/9OrLDDoKWQofYUYn/oEG2DuZbqfLqqph FQvyyQMdYbpX7n7OGIJejtM0h6d24LwcmjTa+bB2aRCWV//iGREcsH3NR1rf6tPdUbLqxgj YdPnOOMhPBmMlI1LihmpjWZJLP+5K9ug21aQ/7vQpiiykSZBJvGaLg9QkPp4OG5LyV5N9NQ q367JUe4rrCzfAeM+2dxkFe69rGT80VJE1oe5zQ7p3546BKNyh1iTJgjJido+MmO+XEF6xG KvZ80ZdoF7+eSuoz0W+yVVa01OnyQAzvqiH0mppTadVq837/F1hZcV0tIEsw== Received: from jasen by smtpcorp.com with local (Exim 4.99.1-S2G) (envelope-from <jasen@crackle.treshna.com>) id 1vqe4t-0Ae32hbYDQG-MKcC; Thu, 12 Feb 2026 21:18:23 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Jasen <jasen@crackle.treshna.com> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: exim4-config: bad pgsql lookup sample in config files: '${quote_pgsql misused Message-ID: <177093110330.3054209.10028208255512238157.reportbug@crackle.treshna.com> X-Mailer: reportbug 13.2.0 Date: Fri, 13 Feb 2026 10:18:23 +1300 X-Report-Abuse: Please forward a copy of this message, including all headers, to <abuse-report@smtp2go.com> X-smtpcorp-track: None X-Greylist: delayed 1039 seconds by postgrey-1.37 at buxtehude; Thu, 12 Feb 2026 21:36:25 UTC Delivered-To: submit@bugs.debian.org Package: exim4-config Version: 4.99.1-3 Severity: minor Dear Maintainer, I was greeping the sample config and found the following: # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} (seen in /etc/exim4/conf.d/auth/30_exim4-config_examples) While this initially looks good it is not because ${quote_pgsql uses escape-string quoting while modern versions (since 10 years) of postgresql use standard conforming strings by default. (this setting changes the backslash to be an ordinary character) https://www.postgresql.org/docs/9.3/runtime-config-compatible.html#GUC-STANDARD-CONFORMING-STRINGS https://www.postgresql.org/docs/9.3/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-ESCAPE https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECID72 fortunately the mitigation for this flaw is trivial. prefix the string with an "e", like this: # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = e'${quote_pgsql:$auth1}'}{$value}fail} -- Package-specific info: Exim version 4.99.1-S2G #2 built 28-Dec-2025 06:06:41 Copyright (c) University of Cambridge, 1995 - 2018 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2025 Hints DB: Using sqlite3 Support for: Content_Scanning Local_Scan Exim_filter Sieve_filter crypteq Expand_dlfunc iconv() IPv6 PAM Perl GnuTLS move_frozen_messages TLS_resume DANE DKIM DNSSEC ESMTP_Limits ESMTP_Wellknown Event I18N OCSP PIPECONNECT PRDR PROXY Queue_Ramp SOCKS SPF SRS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 passwd pgsql redis spf sqlite Authenticators (built-in): cram_md5 cyrus_sasl dovecot external plaintext spa tls Routers (built-in): accept dnslookup ipliteral iplookup manualroute redirect queryprogram Transports (built-in): appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: 13.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.43+deb13-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages exim4-config depends on: ii adduser 3.152 ii debconf [debconf-2.0] 1.5.91 Versions of packages exim4-config recommends: ii ca-certificates 20250419 exim4-config suggests no packages. -- Configuration Files: /etc/exim4/conf.d/auth/30_exim4-config_examples changed [not included] /etc/exim4/conf.d/main/03_exim4-config_tlsoptions changed [not included] /etc/exim4/conf.d/retry/30_exim4-config changed [not included] /etc/exim4/conf.d/router/850_exim4-config_lowuid changed [not included] /etc/exim4/conf.d/transport/30_exim4-config_mail_spool changed [not included] /etc/exim4/passwd.client [Errno 13] Permission denied: '/etc/exim4/passwd.client' -- debconf information excluded ]