Bug#288918: do these holes affect exim 3?

Andreas Metzler Andreas Metzler <ametzler@downhill.at.eu.org>, 288918@bugs.debian.org
Thu, 6 Jan 2005 23:13:27 +0100 

clone 288918 -1
reassign -1 exim
retitle -1 Vulnerable to CAN-2005-0021
tags -1 = woody sarge sid security patch
thanks
On 2005-01-06 Joey Hess <joeyh@debian.org> wrote:
> Re these two security holes, which have just been assigned CVE ids
> CAN-2005-0022 and CAN-2005-0021, does anyone know if the security holes
> also affect exim version 3?

Hello,
The second issue concerns SPA authentication which exim v3 does not
support.

The other issue
| The function host_aton() can overflow a buffer if it is presented
| with an illegal IPv6 address that has more than 8 components.
| The input to this function is supposed to be checked; the report
| said that an unchecked value could be passed via the command line
| (without specifying which command line option, annoyingly). I found
| one such case, which was a call do a dnsdb lookup for a PTR record,
| as part of testing expansions using -be.

applies afaict, both parts of the respective code (dnsdb and
host_aton() are identical.

-------
--- exim-3.36/src/host.c	2002-04-04 14:56:18.000000000 +0200
+++ exim-3.36/src/host.c	2005-01-06 22:50:30.000000000 +0100
@@ -620,12 +620,18 @@
 
   if (*p == ':') p++;
 
-  /* Split the address into components separated by colons. */
+  /* Split the address into components separated by colons. The input address
+  is supposed to be checked for syntax. There was a case where this was
+  overlooked; to guard against that happening again, check here and crash if
+  there is a violation. */
 
   while (*p != 0)
     {
     int len = strcspn(p, ":");
     if (len == 0) nulloffset = ci;
+    if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+      address);
     component[ci++] = p;
     p += len;
     if (*p == ':') p++;
--- exim-3.36/src/lookups/dnsdb.c	2002-04-04 14:56:18.000000000 +0200
+++ exim-3.36/src/lookups/dnsdb.c	2005-01-06 23:10:53.000000000 +0100
@@ -116,7 +116,7 @@
 /* If the type is PTR, we have to construct the relevant magic lookup
 key. */
 
-if (type == T_PTR)
+if (type == T_PTR && string_is_ip_address(keystring, NULL))
   {
   char *p = keystring + (int)strlen(keystring);
   char *pp = buffer;
-------
               cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
                                           http://downhill.aus.cc/