diff --git a/debian/changelog b/debian/changelog index c2007702..9e9b4b3e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,28 @@ +exim4 (4.98.2-1+deb13u1) trixie; urgency=medium + + * Fix GnuTLS hostname verify of a server certificate with a zero-length + Subject. Patch from upstream GIT master (Closes: #1134984) + * Pull CVE-fixes from 4.99.2 + +CVE-2026-40684 Possible crash with malicious DNS data when using musl + libc On systems using musl libc (not glibc) due to an oddity in octal + printing it is possible to crash the connection instance when malformed + DNS data is present in PTR records. + +CVE-2026-40685 Possible OOB read/write on corrupt JSON in header + configurations using json operators on invalid externally-provided input + could trigger heap corruption. + +CVE-2026-40686 Possible OOB read with large UTF8 trailing characters + configurations using utf8 operators on malformed utf8 in headers could + trigger OOB reads and might trigger some data leak if error messages are + required for subsequent emails in the current connection and similar + malformed headers are present. + +CVE-2026-40687 Possible OOB read/write with SPA authenticator in + configurations using the SPA authentication driver to a + hostile/compromised external SPA/NTLM connection it is possible to + trigger an OOB read/write and crash the connection instance or possibly + leak heap data to the instance. + + -- Andreas Metzler Sat, 02 May 2026 11:31:20 +0200 + exim4 (4.98.2-1) unstable; urgency=medium * New upstream version (Basically identical to 4.98,1 + CVE-2025-30232 fix) diff --git a/debian/patches/80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch b/debian/patches/80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch new file mode 100644 index 00000000..12f06292 --- /dev/null +++ b/debian/patches/80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch @@ -0,0 +1,83 @@ +From 371e5210218746e876fd71c888fdb666c85ceb56 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 19 Apr 2026 15:14:14 +0100 +Subject: [PATCH] GnuTLS: fix hostname verify of server cert for empty Subject. + Bug 3215 + +--- + doc/ChangeLog | 6 ++++++ + src/tls-gnu.c | 27 +++++++++++++++++---------- + 2 files changed, 23 insertions(+), 10 deletions(-) + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -1,9 +1,15 @@ + This document describes *changes* to previous versions, that might + affect Exim's operation, with an unchanged configuration file. For new + options, and new features, see the NewStuff file next to this ChangeLog. + ++JH/33 Bug 3215: Fix GnuTLS hostname verify of a server certificate with a ++ zero-length Subject. These are now being handed out by LetsEncrypt; note ++ that this means they carry no DN (as well as no SN, that having decreed ++ deprecated in favour of SANs). The $tls_*peerdn variables relating to ++ these certificates will be empty strings. ++ + JH/07 Bug 3106: Fix coding in SPA authenticator. A macro argument was not + properly parenthesized, resulting in a logic error. While the simple + fix was provided by Andrew Aitchison, the over-large code block resulting + from this macro made me want to replace it with a real function so more + extensive rework becamse needed. +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -2265,11 +2265,10 @@ gnutls_protocol_t protocol; + gnutls_cipher_algorithm_t cipher; + gnutls_kx_algorithm_t kx; + gnutls_mac_algorithm_t mac; + gnutls_certificate_type_t ct; + gnutls_x509_crt_t crt; +-uschar * dn_buf; + size_t sz; + + if (state->have_set_peerdn) + return OK; + state->have_set_peerdn = TRUE; +@@ -2387,22 +2386,30 @@ if ((ct = gnutls_certificate_type_get(se + rc = import_cert(&cert_list[0], &crt); + exim_gnutls_peer_err(US"cert 0"); + + state->tlsp->peercert = state->peercert = crt; + ++state->peerdn = US""; + sz = 0; +-rc = gnutls_x509_crt_get_dn(crt, NULL, &sz); +-if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) ++if (!(rc = gnutls_x509_crt_get_dn(crt, NULL, &sz))) ++ { DEBUG(D_tls) debug_printf_indent("TLS: zero-length DN\n"); } ++else if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ { DEBUG(D_tls) debug_printf_indent("TLS: no DN\n"); } ++else + { +- exim_gnutls_peer_err(US"getting size for cert DN failed"); +- return FAIL; /* should not happen */ +- } +-dn_buf = store_get_perm(sz, GET_TAINTED); +-rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz); +-exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]"); ++ uschar * dn_buf; ++ if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) ++ { ++ exim_gnutls_peer_err(US"getting size for cert DN failed"); ++ return FAIL; /* should not happen */ ++ } ++ dn_buf = store_get_perm(sz, GET_TAINTED); ++ rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz); ++ exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]"); + +-state->peerdn = dn_buf; ++ state->peerdn = dn_buf; ++ } + + return OK; + #undef exim_gnutls_peer_err + } + diff --git a/debian/patches/81-01-Support-musl-libc-dn_expand-oddity.patch b/debian/patches/81-01-Support-musl-libc-dn_expand-oddity.patch new file mode 100644 index 00000000..ce80c8f2 --- /dev/null +++ b/debian/patches/81-01-Support-musl-libc-dn_expand-oddity.patch @@ -0,0 +1,74 @@ +From 628bbaca7672748d941a12e7cd5f0122a4e18c81 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 28 Apr 2026 14:47:32 +0100 +Subject: [PATCH 1/4] Support musl libc dn_expand oddity + +CVE-2026-40684 +--- + doc/ChangeLog | 16 ++++++++++++++++ + .../CVE2026-40684.assessment | 12 ++++++++++++ + src/string.c | 12 ++++++------ + 3 files changed, 34 insertions(+), 6 deletions(-) + create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40684.assessment + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -1,9 +1,13 @@ + This document describes *changes* to previous versions, that might + affect Exim's operation, with an unchanged configuration file. For new + options, and new features, see the NewStuff file next to this ChangeLog. + ++JH/34 CVE-2026-40684: A crafted DNS record could cause a crash of the Exim ++ process acessing it, when operating with musl libc. This could be the ++ daemon. An Exim using Gnu libc is not affeected. ++ + JH/33 Bug 3215: Fix GnuTLS hostname verify of a server certificate with a + zero-length Subject. These are now being handed out by LetsEncrypt; note + that this means they carry no DN (as well as no SN, that having decreed + deprecated in favour of SANs). The $tls_*peerdn variables relating to + these certificates will be empty strings. +--- /dev/null ++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40684.assessment +@@ -0,0 +1,12 @@ ++CVE2026-40684 ++ ++Vulnerability conditions ++------------------------ ++ ++- Exim build/run using musl libc (not gnulibc) ++- Deamon running, accepting connections ++ ++Impact ++------ ++ ++Remote-triggered crash, via crafted PTR record +--- a/src/string.c ++++ b/src/string.c +@@ -606,21 +606,21 @@ string_copy_dnsdomain(uschar * s) + { + uschar * yield; + uschar * ss = yield = store_get(Ustrlen(s) + 1, GET_TAINTED); /* always treat as tainted */ + + while (*s) +- { + if (*s != '\\') + *ss++ = *s++; +- else if (isdigit(s[1])) +- { +- *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0'; +- s += 4; ++ else if (isdigit(*++s)) /* Apparently, musl libc dn_expand seen doing \DD */ ++ { /* and \D also. We can only hope not when a real digit follows. */ ++ uschar c = *s++ - '0'; ++ if (isdigit(*s)) c = c * 10 + *s++ - '0'; ++ if (isdigit(*s)) c = c * 10 + *s++ - '0'; ++ *ss++ = c; + } + else if (*++s) + *ss++ = *s++; +- } + + *ss = 0; + return yield; + } + diff --git a/debian/patches/81-02-when-dewrap-only-skip-if-associated-char.patch b/debian/patches/81-02-when-dewrap-only-skip-if-associated-char.patch new file mode 100644 index 00000000..4816c6e2 --- /dev/null +++ b/debian/patches/81-02-when-dewrap-only-skip-if-associated-char.patch @@ -0,0 +1,57 @@ +From 9fdc057e71b87c87a0d3d2288b2810a0efaaba57 Mon Sep 17 00:00:00 2001 +From: Bernard Quatermass +Date: Mon, 23 Mar 2026 16:43:51 +0000 +Subject: [PATCH 2/4] when dewrap, only skip \ if associated char + +CVE2026-40685 +--- + doc/ChangeLog | 5 ++++- + .../exim-security-2026-04.1/CVE2026-40685.assessment | 11 +++++++++++ + src/expand.c | 2 +- + 3 files changed, 16 insertions(+), 2 deletions(-) + create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40685.assessment + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -1,9 +1,12 @@ + This document describes *changes* to previous versions, that might + affect Exim's operation, with an unchanged configuration file. For new + options, and new features, see the NewStuff file next to this ChangeLog. + ++BQ/02 CVE-2026-40685: JSON string expansions could, when fed crafted source ++ strings, corrupt the heap. ++ + JH/34 CVE-2026-40684: A crafted DNS record could cause a crash of the Exim + process acessing it, when operating with musl libc. This could be the + daemon. An Exim using Gnu libc is not affeected. + + JH/33 Bug 3215: Fix GnuTLS hostname verify of a server certificate with a +--- /dev/null ++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40685.assessment +@@ -0,0 +1,11 @@ ++CVE2026-40685 ++ ++Vulnerability conditions ++------------------------ ++ ++- Config uses json operators on externally-provided input ++ ++Impact ++------ ++ ++- Remote-triggered heap corruption +--- a/src/expand.c ++++ b/src/expand.c +@@ -2379,11 +2379,11 @@ if (Uskip_whitespace(&p) == *wrap) + { + s = ++p; + wrap++; + while (*p) + { +- if (*p == '\\') p++; ++ if (*p == '\\' && *(p+1)) p++; + else if (!quotesmode && *p == wrap[-1]) depth++; + else if (*p == *wrap) + if (depth == 0) + { + *p = '\0'; diff --git a/debian/patches/81-03-Expansions-harden-for-malformed-UTF-8.patch b/debian/patches/81-03-Expansions-harden-for-malformed-UTF-8.patch new file mode 100644 index 00000000..553ad29d --- /dev/null +++ b/debian/patches/81-03-Expansions-harden-for-malformed-UTF-8.patch @@ -0,0 +1,58 @@ +From f2570bde16fb4d4a1242ff363a4c4eecf6372efc Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 23 Mar 2026 15:10:28 +0000 +Subject: [PATCH 3/4] Expansions: harden for malformed UTF-8 + +CVE2026-40686 +--- + doc/ChangeLog | 4 ++++ + .../exim-security-2026-04.1/CVE2026-40686.assessment | 11 +++++++++++ + src/expand.c | 2 +- + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40686.assessment + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -1,9 +1,13 @@ + This document describes *changes* to previous versions, that might + affect Exim's operation, with an unchanged configuration file. For new + options, and new features, see the NewStuff file next to this ChangeLog. + ++JH/35 CVE-2026-40686: The ${from_utf8:} expansion operator, fed malformed input, ++ could read into the heap. If the result was used for an SMTP rejection ++ message, data exfiltration would be possible. ++ + BQ/02 CVE-2026-40685: JSON string expansions could, when fed crafted source + strings, corrupt the heap. + + JH/34 CVE-2026-40684: A crafted DNS record could cause a crash of the Exim + process acessing it, when operating with musl libc. This could be the +--- /dev/null ++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40686.assessment +@@ -0,0 +1,11 @@ ++CVE2026-40686 ++ ++Vulnerability conditions ++------------------------ ++ ++- Config using UTF-8 operations on externally-provided input ++ ++Impact ++------ ++ ++- Heap data exfiltration +--- a/src/expand.c ++++ b/src/expand.c +@@ -973,11 +973,11 @@ static int utf8_table2[] = { 0xff, 0x1f, + if ((c & 0xc0) == 0xc0) \ + { \ + int a = utf8_table1[c & 0x3f]; /* Number of additional bytes */ \ + int s = 6*a; \ + c = (c & utf8_table2[a]) << s; \ +- while (a-- > 0) \ ++ while (a-- > 0 && *ptr) \ + { \ + s -= 6; \ + c |= (*ptr++ & 0x3f) << s; \ + } \ + } diff --git a/debian/patches/81-04-SPA-authenticator-harden-buffer-usage.patch b/debian/patches/81-04-SPA-authenticator-harden-buffer-usage.patch new file mode 100644 index 00000000..0c2c4c13 --- /dev/null +++ b/debian/patches/81-04-SPA-authenticator-harden-buffer-usage.patch @@ -0,0 +1,257 @@ +From 68b963b9f75ca27b38e1c0f8c87037990199f505 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 10 Mar 2026 21:29:52 +0000 +Subject: [PATCH 4/4] SPA authenticator: harden buffer usage + +CVE-2026-40687 +--- + doc/ChangeLog | 4 + + .../CVE2026-40687.assessment | 12 ++ + src/auths/auth-spa.c | 113 +++--------------- + src/auths/auth-spa.h | 1 - + 4 files changed, 35 insertions(+), 95 deletions(-) + create mode 100644 doc/doc-txt/exim-security-2026-04.1/CVE2026-40687.assessment + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -1,9 +1,13 @@ + This document describes *changes* to previous versions, that might + affect Exim's operation, with an unchanged configuration file. For new + options, and new features, see the NewStuff file next to this ChangeLog. + ++JH/36 CVE-2026-40687: The spa authenticator used an unitialized buffer, which ++ could result in a leak of data. It also had potential for wrting past the ++ end of static buffers, by choice of data provided by the client. ++ + JH/35 CVE-2026-40686: The ${from_utf8:} expansion operator, fed malformed input, + could read into the heap. If the result was used for an SMTP rejection + message, data exfiltration would be possible. + + BQ/02 CVE-2026-40685: JSON string expansions could, when fed crafted source +--- /dev/null ++++ b/doc/doc-txt/exim-security-2026-04.1/CVE2026-40687.assessment +@@ -0,0 +1,12 @@ ++CVE2026-40687 ++ ++Vulnerability conditions ++------------------------ ++ ++- Config uses the "spa" authenticator driver ++ ++Impact ++------ ++ ++- Remote-triggered crash (only of connection process, not daemon) ++- Infoleak +--- a/src/auths/auth-spa.c ++++ b/src/auths/auth-spa.c +@@ -163,11 +163,10 @@ int main (int argc, char ** argv) + + extern int DEBUGLEVEL; + + #include "../exim.h" + #include "auth-spa.h" +-#include + + + #ifndef _BYTEORDER_H + # define _BYTEORDER_H + +@@ -411,10 +410,12 @@ spa_base64_to_bits (char *out, int outle + /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ + { + int len = 0; + uschar digit1, digit2, digit3, digit4; + ++memset(out, 0, outlength); ++ + if (in[0] == '+' && in[1] == ' ') + in += 2; + if (*in == '\r') + return (0); + +@@ -1238,63 +1239,37 @@ spa_string_add(SPAbuf * buffer, size_t o + int len = string ? Ustrlen(string) : 0; + spa_bytes_add(buffer, off, header, string, len); + } + + static uschar * +-strToUnicode(const uschar * p) ++strToUnicode(const uschar * p, int len) + { +-static uschar buf[1024]; +-size_t l = Ustrlen(p); +- +-assert (l * 2 < sizeof buf); +- +-for (int i = 0; l--; ) { buf[i++] = *p++; buf[i++] = 0; } ++uschar * buf = store_get(len * 2, p); ++for (int i = 0; len--; ) { buf[i++] = *p++; buf[i++] = 0; } + return buf; + } + + static void + spa_unicode_add_string(SPAbuf * buffer, size_t off, SPAStrHeader * header, + const uschar * string) + { +-const uschar * p = string; +-uschar * b = NULL; ++const uschar * p = string, * b = NULL; + int len = 0; + if (p) + { + len = Ustrlen(p); +- b = US strToUnicode(p); ++ b = strToUnicode(p, len); + } + spa_bytes_add(buffer, off, header, b, len*2); + } + + +-#ifdef notdef +- +-#define DumpBuffer(fp, structPtr, header) \ +- dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) +- +- +-static void +-dumpRaw (FILE * fp, uschar *buf, size_t len) ++uschar * ++unicodeToString (char * p, size_t len) + { + int i; +- +-for (i = 0; i < len; ++i) +- fprintf (fp, "%02x ", buf[i]); +- +-fprintf (fp, "\n"); +-} +- +-#endif +- +-char * +-unicodeToString (char *p, size_t len) +-{ +-int i; +-static char buf[1024]; +- +-assert (len + 1 < sizeof buf); ++uschar * buf = store_get((int)len + 1, p); + + for (i = 0; i < len; ++i) + { + buf[i] = *p & 0x7f; + p += 2; +@@ -1303,89 +1278,37 @@ for (i = 0; i < len; ++i) + buf[i] = '\0'; + return buf; + } + + static uschar * +-toString (char *p, size_t len) ++toString (const char *p, size_t len) + { +-static uschar buf[1024]; +- +-assert (len + 1 < sizeof buf); ++uschar * buf = store_get((int)len + 1, p); + + memcpy (buf, p, len); +-buf[len] = 0; ++buf[len] = '\0'; + return buf; + } + + static inline uschar * + get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) + { +-int off = IVAL(&hdr->offset, 0); +-int len = SVAL(&hdr->len, 0); +-return off + len < sizeof(SPAAuthChallenge) +- ? US unicodeToString(CS challenge + off, len/2) : US""; +-} ++int offset = IVAL(&hdr->offset, 0), len = SVAL(&hdr->len, 0); + +-static inline uschar * +-get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) +-{ +-int off = IVAL(&hdr->offset, 0); +-int len = SVAL(&hdr->len, 0); +-return off + len < sizeof(SPAAuthChallenge) +- ? US toString(CS challenge + off, len) : US""; ++return offset + len < sizeof(SPAAuthChallenge) ++ ? unicodeToString(CS challenge + offset, len/2) : US""; + } + +-#ifdef notdef +- +-#define GetUnicodeString(structPtr, header) \ +- unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) +- +-#define GetString(structPtr, header) \ +- toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) +- +- +-void +-dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) ++static uschar * ++get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) + { +-fprintf (fp, "NTLM Request:\n"); +-fprintf (fp, " Ident = %s\n", request->ident); +-fprintf (fp, " mType = %d\n", IVAL (&request->msgType, 0)); +-fprintf (fp, " Flags = %08x\n", IVAL (&request->flags, 0)); +-fprintf (fp, " User = %s\n", GetString (request, user)); +-fprintf (fp, " Domain = %s\n", GetString (request, domain)); +-} ++int offset = IVAL(&hdr->offset, 0), len = SVAL(&hdr->len, 0); + +-void +-dumpSmbNtlmAuthChallenge (FILE * fp, SPAAuthChallenge * challenge) +-{ +-fprintf (fp, "NTLM Challenge:\n"); +-fprintf (fp, " Ident = %s\n", challenge->ident); +-fprintf (fp, " mType = %d\n", IVAL (&challenge->msgType, 0)); +-fprintf (fp, " Domain = %s\n", GetUnicodeString (challenge, uDomain)); +-fprintf (fp, " Flags = %08x\n", IVAL (&challenge->flags, 0)); +-fprintf (fp, " Challenge = "); +-dumpRaw (fp, challenge->challengeData, 8); ++return offset + len < sizeof(SPAAuthChallenge) ++ ? toString(CS challenge + offset, len) : US""; + } + +-void +-dumpSmbNtlmAuthResponse (FILE * fp, SPAAuthResponse * response) +-{ +-fprintf (fp, "NTLM Response:\n"); +-fprintf (fp, " Ident = %s\n", response->ident); +-fprintf (fp, " mType = %d\n", IVAL (&response->msgType, 0)); +-fprintf (fp, " LmResp = "); +-DumpBuffer (fp, response, lmResponse); +-fprintf (fp, " NTResp = "); +-DumpBuffer (fp, response, ntResponse); +-fprintf (fp, " Domain = %s\n", GetUnicodeString (response, uDomain)); +-fprintf (fp, " User = %s\n", GetUnicodeString (response, uUser)); +-fprintf (fp, " Wks = %s\n", GetUnicodeString (response, uWks)); +-fprintf (fp, " sKey = "); +-DumpBuffer (fp, response, sessionKey); +-fprintf (fp, " Flags = %08x\n", IVAL (&response->flags, 0)); +-} +-#endif + + void + spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain) + { + uschar * u = string_copy(user); +--- a/src/auths/auth-spa.h ++++ b/src/auths/auth-spa.h +@@ -90,8 +90,8 @@ void spa_build_auth_request (SPAAuthRequ + uschar * domain); + extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8, + unsigned char * p24); + extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8, + unsigned char * p24); +-extern char *unicodeToString(char *p, size_t len); ++extern uschar *unicodeToString(char *p, size_t len); + extern void spa_build_auth_challenge(SPAAuthRequest *, SPAAuthChallenge *); + diff --git a/debian/patches/series b/debian/patches/series index 913aec33..e6eab17f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,4 +13,9 @@ 77-Fix-IP-SRR-parsing.-Bug-3124.patch 78_DKIM-fix-verify-of-malformed-header-lines.-Bug-3036.patch 79_Dovecot-fix-protocol-sequence-for-version-2.4.0.patch +80_GnuTLS-fix-hostname-verify-of-server-cert-for-empty-.patch +81-01-Support-musl-libc-dn_expand-oddity.patch +81-02-when-dewrap-only-skip-if-associated-char.patch +81-03-Expansions-harden-for-malformed-UTF-8.patch +81-04-SPA-authenticator-harden-buffer-usage.patch 90_localscan_dlopen.dpatch