Bug#403605: exim4-config: dc_other_hostnames expanded by the shell,
corrupting it
Paul Slootman
paul at debian.org
Mon Dec 18 11:41:27 UTC 2006
Package: exim4-config
Version: 4.63-11
Severity: grave
Justification: email was bounced, thus lost to me
I have a wildcard MX *.wurtel.net, and that's filled in
/etc/exim4/update-exim4.conf.conf accordingly:
dc_other_hostnames='wurtel.net : *.wurtel.net : ...'
However, I noticed once that instead of *.wurtel.net, the generated
config file had db.wurtel.net. At the time I passed that off as an
error on my part, as when running update-exim4.conf again it was
correct.
Today I again noticed in the exim logs that a lot of mail was being
bounced due to "relay not permitted". Again I saw db.wurtel.net instead
of *.wurtel.net, and now I was sure I hadn't made any mistake.
Upon investigation it appeared that if a file exists in the current
directory that matches *.wurtel.net when update-exim4.conf is run, the
filename is filled into the config file, hence corrupting it :-(
update-exim4.conf echoes the value of dc_other_hostnames without any
quoting!
I could imagine that this might even be used to bypass security if a
malicious user could get an admin to run update-exim4.conf in a
directory with specially prepared filenames.
I recommend that a fix is included in the version that's to go into
etch.
Paul Slootman
More information about the Pkg-exim4-maintainers
mailing list