Merging debian version 4.92-8+deb10u8.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 343 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index e8b0e26..3537358 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+exim4 (4.92-8+deb10u8) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Address SPA authenticator vulnerabilities (CVE-2023-42114, CVE-2023-42116)
+    - Auths: use uschar more in spa authenticator
+    - Auths: fix possible OOB write in SPA authenticator (CVE-2023-42116)
+    - Auths: fix possible OOB read in SPA authenticator (CVE-2023-42114)
+
+ -- Markus Koschany <apo@debian.org>  Mon, 02 Oct 2023 08:59:59 +0200
+
 exim4 (4.92-8+deb10u7progress5u1) engywuck-security; urgency=high
 
   * Uploading to engywuck-security, remaining changes:
diff --git a/debian/patches/CVE-2023-42114.patch b/debian/patches/CVE-2023-42114.patch
new file mode 100644
index 0000000..4165f30
--- /dev/null
+++ b/debian/patches/CVE-2023-42114.patch
@@ -0,0 +1,77 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 1 Oct 2023 10:38:47 +0200
+Subject: CVE-2023-42114
+
+Upstream-Bug: 3001
+
+Originally created by Jeremy Harris.
+---
+ src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
+index ae8da9c..f3b0b78 100644
+--- a/src/auths/auth-spa.c
++++ b/src/auths/auth-spa.c
+@@ -1263,15 +1263,10 @@ spa_bytes_add(ptr, header, b, len*2); \
+ }
+ 
+ 
+-#define GetUnicodeString(structPtr, header) \
+-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+-#define GetString(structPtr, header) \
+-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+-
+ #ifdef notdef
+ 
+ #define DumpBuffer(fp, structPtr, header) \
+-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
++ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+ 
+ 
+ static void
+@@ -1335,8 +1330,33 @@ toString (char *p, size_t len)
+   return buf;
+ }
+ 
++static inline uschar *
++get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
++{
++int off = IVAL(&hdr->offset, 0);
++int len = SVAL(&hdr->len, 0);
++return off + len < sizeof(SPAAuthChallenge)
++  ? US unicodeToString(CS challenge + off, len/2) : US"";
++}
++
++static inline uschar *
++get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
++{
++int off = IVAL(&hdr->offset, 0);
++int len = SVAL(&hdr->len, 0);
++return off + len < sizeof(SPAAuthChallenge)
++  ? US toString(CS challenge + off, len) : US"";
++}
++
+ #ifdef notdef
+ 
++#define GetUnicodeString(structPtr, header) \
++ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
++
++#define GetString(structPtr, header) \
++ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
++
++
+ void
+ dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
+ {
+@@ -1507,8 +1527,8 @@ spa_build_auth_response (SPAAuthChallenge * challenge,
+     }
+ 
+   else domain = d = string_copy(cf & 0x1
+-    ? CUS GetUnicodeString(challenge, uDomain)
+-    : CUS GetString(challenge, uDomain));
++    ? CUS get_challenge_unistr(challenge, &challenge->uDomain)
++    : CUS get_challenge_str(challenge, &challenge->uDomain));
+ 
+   spa_smb_encrypt(password, challenge->challengeData, lmRespData);
+   spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);
diff --git a/debian/patches/CVE-2023-42116.patch b/debian/patches/CVE-2023-42116.patch
new file mode 100644
index 0000000..cb22cd7
--- /dev/null
+++ b/debian/patches/CVE-2023-42116.patch
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 1 Oct 2023 10:16:05 +0200
+Subject: CVE-2023-42116
+
+Upstream-Bug: 3000
+
+Originally created by Jeremy Harris.
+---
+ src/auths/auth-spa.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
+index dea6a89..ae8da9c 100644
+--- a/src/auths/auth-spa.c
++++ b/src/auths/auth-spa.c
+@@ -1223,7 +1223,9 @@ char versionString[] = "libntlm version 0.21";
+ 
+ #define spa_bytes_add(ptr, header, buf, count) \
+ { \
+-if (buf != NULL  &&  count != 0) /* we hate -Wint-in-bool-contex */ \
++if (  buf && (count) != 0	/* we hate -Wint-in-bool-contex */ \
++   && ptr->bufIndex + count < sizeof(ptr->buffer)		\
++   ) \
+   { \
+   SSVAL(&ptr->header.len,0,count); \
+   SSVAL(&ptr->header.maxlen,0,count); \
diff --git a/debian/patches/series b/debian/patches/series
index 39c0ea5..bab606e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -59,3 +59,6 @@
 84_29-Fix-BDAT-issue-for-body-w-o-trailing-CRLF-again-Bug-.patch
 90_localscan_dlopen.dpatch
 CVE-2022-37452.patch
+use-uschar-more-in-spa-authenticator.patch
+CVE-2023-42116.patch
+CVE-2023-42114.patch
diff --git a/debian/patches/use-uschar-more-in-spa-authenticator.patch b/debian/patches/use-uschar-more-in-spa-authenticator.patch
new file mode 100644
index 0000000..3ffafca
--- /dev/null
+++ b/debian/patches/use-uschar-more-in-spa-authenticator.patch
@@ -0,0 +1,227 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 1 Oct 2023 10:56:15 +0200
+Subject: use uschar more in spa authenticator
+
+Originally created by Jermey Harris. Part of the patch series to fix
+CVE-2023-42114 and CVE-2023-42116.
+---
+ src/auths/auth-spa.c | 70 +++++++++++++++++++++++++++-------------------------
+ src/auths/auth-spa.h |  8 +++---
+ src/auths/spa.c      | 13 +++++-----
+ 3 files changed, 46 insertions(+), 45 deletions(-)
+
+diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c
+index d2c95c3..dea6a89 100644
+--- a/src/auths/auth-spa.c
++++ b/src/auths/auth-spa.c
+@@ -153,6 +153,9 @@ int main (int argc, char ** argv)
+    up with a different answer to the one above)
+ */
+ 
++#ifndef MACRO_PREDEF
++
++
+ #define DEBUG_X(a,b) ;
+ 
+ extern int DEBUGLEVEL;
+@@ -1238,21 +1241,21 @@ else \
+ 
+ #define spa_string_add(ptr, header, string) \
+ { \
+-char *p = string; \
++uschar * p = string; \
+ int len = 0; \
+-if (p) len = strlen(p); \
+-spa_bytes_add(ptr, header, (US p), len); \
++if (p) len = Ustrlen(p); \
++spa_bytes_add(ptr, header, p, len); \
+ }
+ 
+ #define spa_unicode_add_string(ptr, header, string) \
+ { \
+-char *p = string; \
+-uschar *b = NULL; \
++uschar * p = string; \
++uschar * b = NULL; \
+ int len = 0; \
+ if (p) \
+   { \
+-  len = strlen(p); \
+-  b = strToUnicode(p); \
++  len = Ustrlen(p); \
++  b = US strToUnicode(CS p); \
+   } \
+ spa_bytes_add(ptr, header, b, len*2); \
+ }
+@@ -1375,10 +1378,10 @@ dumpSmbNtlmAuthResponse (FILE * fp, SPAAuthResponse * response)
+ #endif
+ 
+ void
+-spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
++spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain)
+ {
+-  char *u = strdup (user);
+-  char *p = strchr (u, '@');
++  uschar * u = string_copy(user);
++  uschar * p = Ustrchr(u, '@');
+ 
+   if (p)
+     {
+@@ -1393,7 +1396,6 @@ spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
+   SIVAL (&request->flags, 0, 0x0000b207);      /* have to figure out what these mean */
+   spa_string_add (request, user, u);
+   spa_string_add (request, domain, domain);
+-  free (u);
+ }
+ 
+ 
+@@ -1485,16 +1487,16 @@ spa_build_auth_response (SPAAuthChallenge * challenge,
+ 
+ void
+ spa_build_auth_response (SPAAuthChallenge * challenge,
+-                        SPAAuthResponse * response, char *user,
+-                        char *password)
++                        SPAAuthResponse * response, uschar * user,
++                        uschar * password)
+ {
+   uint8x lmRespData[24];
+   uint8x ntRespData[24];
+   uint32x cf = IVAL(&challenge->flags, 0);
+-  char *u = strdup (user);
+-  char *p = strchr (u, '@');
+-  char *d = NULL;
+-  char *domain;
++  uschar * u = string_copy(user);
++  uschar * p = Ustrchr(u, '@');
++  uschar * d = NULL;
++  uschar * domain;
+ 
+   if (p)
+     {
+@@ -1502,33 +1504,33 @@ spa_build_auth_response (SPAAuthChallenge * challenge,
+     *p = '\0';
+     }
+ 
+-  else domain = d = strdup((cf & 0x1)?
+-    CCS GetUnicodeString(challenge, uDomain) :
+-    CCS GetString(challenge, uDomain));
++  else domain = d = string_copy(cf & 0x1
++    ? CUS GetUnicodeString(challenge, uDomain)
++    : CUS GetString(challenge, uDomain));
+ 
+-  spa_smb_encrypt (US password, challenge->challengeData, lmRespData);
+-  spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData);
++  spa_smb_encrypt(password, challenge->challengeData, lmRespData);
++  spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);
+ 
+   response->bufIndex = 0;
+   memcpy (response->ident, "NTLMSSP\0\0\0", 8);
+   SIVAL (&response->msgType, 0, 3);
+ 
+-  spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0);
+-  spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0);
++  spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0);
++  spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0);
+ 
+   if (cf & 0x1) {      /* Unicode Text */
+-       spa_unicode_add_string (response, uDomain, domain);
+-       spa_unicode_add_string (response, uUser, u);
+-       spa_unicode_add_string (response, uWks, u);
++       spa_unicode_add_string(response, uDomain, domain);
++       spa_unicode_add_string(response, uUser, u);
++       spa_unicode_add_string(response, uWks, u);
+   } else {             /* OEM Text */
+-       spa_string_add (response, uDomain, domain);
+-       spa_string_add (response, uUser, u);
+-       spa_string_add (response, uWks, u);
++       spa_string_add(response, uDomain, domain);
++       spa_string_add(response, uUser, u);
++       spa_string_add(response, uWks, u);
+   }
+ 
+-  spa_string_add (response, sessionKey, NULL);
++  spa_string_add(response, sessionKey, NULL);
+   response->flags = challenge->flags;
+-
+-  if (d != NULL) free (d);
+-  free (u);
+ }
++
++
++#endif   /*!MACRO_PREDEF*/
+diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h
+index cfe1b08..3b0b3a9 100644
+--- a/src/auths/auth-spa.h
++++ b/src/auths/auth-spa.h
+@@ -79,10 +79,10 @@ typedef struct
+ 
+ void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
+ int spa_base64_to_bits(char *, int, const char *);
+-void spa_build_auth_response (SPAAuthChallenge *challenge,
+-       SPAAuthResponse *response, char *user, char *password);
+-void spa_build_auth_request (SPAAuthRequest *request, char *user,
+-       char *domain);
++void spa_build_auth_response (SPAAuthChallenge * challenge,
++       SPAAuthResponse * response, uschar * user, uschar * password);
++void spa_build_auth_request (SPAAuthRequest * request, uschar * user,
++       uschar * domain);
+ extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8,
+                              unsigned char * p24);
+ extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8,
+diff --git a/src/auths/spa.c b/src/auths/spa.c
+index 4e3aef8..ff77cc5 100644
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -294,14 +294,13 @@ SPAAuthRequest   request;
+ SPAAuthChallenge challenge;
+ SPAAuthResponse  response;
+ char msgbuf[2048];
+-char *domain = NULL;
+-char *username, *password;
++uschar * domain = NULL, * username, * password;
+ 
+ /* Code added by PH to expand the options */
+ 
+ *buffer = 0;    /* Default no message when cancelled */
+ 
+-if (!(username = CS expand_string(ob->spa_username)))
++if (!(username = expand_string(ob->spa_username)))
+   {
+   if (f.expand_string_forcedfail) return CANCELLED;
+   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+@@ -310,7 +309,7 @@ if (!(username = CS expand_string(ob->spa_username)))
+   return ERROR;
+   }
+ 
+-if (!(password = CS expand_string(ob->spa_password)))
++if (!(password = expand_string(ob->spa_password)))
+   {
+   if (f.expand_string_forcedfail) return CANCELLED;
+   string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+@@ -320,7 +319,7 @@ if (!(password = CS expand_string(ob->spa_password)))
+   }
+ 
+ if (ob->spa_domain)
+-  if (!(domain = CS expand_string(ob->spa_domain)))
++  if (!(domain = expand_string(ob->spa_domain)))
+     {
+     if (f.expand_string_forcedfail) return CANCELLED;
+     string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
+@@ -340,7 +339,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
+ 
+ DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
+ 
+-spa_build_auth_request (&request, CS username, domain);
++spa_build_auth_request(&request, username, domain);
+ spa_bits_to_base64 (US msgbuf, (unsigned char*)&request,
+        spa_request_length(&request));
+ 
+@@ -358,7 +357,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
+ DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
+ spa_base64_to_bits (CS (&challenge), sizeof(challenge), CCS (buffer + 4));
+ 
+-spa_build_auth_response (&challenge, &response, CS username, CS password);
++spa_build_auth_response(&challenge, &response, username, password);
+ spa_bits_to_base64 (US msgbuf, (unsigned char*)&response,
+        spa_request_length(&response));
+ DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);