exim4 upload to stable (dovecot stability / and optionally spf quoting)

Philipp Kern pkern at debian.org
Mon Jan 7 10:25:27 UTC 2013 

On Sat, Jan 05, 2013 at 02:20:06PM +0100, Andreas Metzler wrote:
> On top of this I would like to discuss whether it is acceptable to fix
> http://bugs.debian.org/697057 in stable, too. [ I definitily want o
> get the fix into testing - #697444.] The Debian configuration
> optionally allows to use spfquery to run SPF-checks on incoming mail.
> Due to insufficient quoting it is possible to pass on arbitrary
> arguments to spfquery and therefore bypass SPF checks. The fix is not
> invasive, but it changes dpkg conffiles.
> 
> -------------------------------
> diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
> index ac347aa..4949587 100644
> --- a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
> +++ b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
> @@ -265,10 +265,10 @@ acl_check_rcpt:
>      log_message = SPF check failed.
>      !acl = acl_local_deny_exceptions
>      condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
> -                   \"$sender_host_address\" --identity \
> +                   ${quote:$sender_host_address} --identity \
>                     ${if def:sender_address_domain \
> -                       {--scope mfrom  --identity \"$sender_address\"}\
> -                       {--scope helo --identity  \"$sender_helo_name\"}}}\
> +                       {--scope mfrom  --identity ${quote:$sender_address}}\
> +                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
>                     {no}{${if eq {$runrc}{1}{yes}{no}}}}
>  
>    defer
> -------------------------------

Just to be clear: The underquoting does not yield a situation where one
can use shell escapes or similar? It's "just" about being able to bypass
the SPF check by supplying crafted data?

Kind regards
Philipp Kern
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20130107/2b09b909/attachment.pgp>

More information about the Pkg-exim4-maintainers mailing list