diff options
-rw-r--r-- | debian/changelog | 10 | ||||
-rw-r--r-- | debian/patches/CVE-2023-42114.patch | 77 | ||||
-rw-r--r-- | debian/patches/CVE-2023-42116.patch | 26 | ||||
-rw-r--r-- | debian/patches/series | 3 | ||||
-rw-r--r-- | debian/patches/use-uschar-more-in-spa-authenticator.patch | 227 |
5 files changed, 343 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index e8b0e26..3537358 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +exim4 (4.92-8+deb10u8) buster-security; urgency=high + + * Non-maintainer upload by the LTS team. + * Address SPA authenticator vulnerabilities (CVE-2023-42114, CVE-2023-42116) + - Auths: use uschar more in spa authenticator + - Auths: fix possible OOB write in SPA authenticator (CVE-2023-42116) + - Auths: fix possible OOB read in SPA authenticator (CVE-2023-42114) + + -- Markus Koschany <apo@debian.org> Mon, 02 Oct 2023 08:59:59 +0200 + exim4 (4.92-8+deb10u7progress5u1) engywuck-security; urgency=high * Uploading to engywuck-security, remaining changes: diff --git a/debian/patches/CVE-2023-42114.patch b/debian/patches/CVE-2023-42114.patch new file mode 100644 index 0000000..4165f30 --- /dev/null +++ b/debian/patches/CVE-2023-42114.patch @@ -0,0 +1,77 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 1 Oct 2023 10:38:47 +0200 +Subject: CVE-2023-42114 + +Upstream-Bug: 3001 + +Originally created by Jeremy Harris. +--- + src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c +index ae8da9c..f3b0b78 100644 +--- a/src/auths/auth-spa.c ++++ b/src/auths/auth-spa.c +@@ -1263,15 +1263,10 @@ spa_bytes_add(ptr, header, b, len*2); \ + } + + +-#define GetUnicodeString(structPtr, header) \ +-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) +-#define GetString(structPtr, header) \ +-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) +- + #ifdef notdef + + #define DumpBuffer(fp, structPtr, header) \ +-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) ++ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) + + + static void +@@ -1335,8 +1330,33 @@ toString (char *p, size_t len) + return buf; + } + ++static inline uschar * ++get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) ++{ ++int off = IVAL(&hdr->offset, 0); ++int len = SVAL(&hdr->len, 0); ++return off + len < sizeof(SPAAuthChallenge) ++ ? US unicodeToString(CS challenge + off, len/2) : US""; ++} ++ ++static inline uschar * ++get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) ++{ ++int off = IVAL(&hdr->offset, 0); ++int len = SVAL(&hdr->len, 0); ++return off + len < sizeof(SPAAuthChallenge) ++ ? US toString(CS challenge + off, len) : US""; ++} ++ + #ifdef notdef + ++#define GetUnicodeString(structPtr, header) \ ++ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) ++ ++#define GetString(structPtr, header) \ ++ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) ++ ++ + void + dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) + { +@@ -1507,8 +1527,8 @@ spa_build_auth_response (SPAAuthChallenge * challenge, + } + + else domain = d = string_copy(cf & 0x1 +- ? CUS GetUnicodeString(challenge, uDomain) +- : CUS GetString(challenge, uDomain)); ++ ? CUS get_challenge_unistr(challenge, &challenge->uDomain) ++ : CUS get_challenge_str(challenge, &challenge->uDomain)); + + spa_smb_encrypt(password, challenge->challengeData, lmRespData); + spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); diff --git a/debian/patches/CVE-2023-42116.patch b/debian/patches/CVE-2023-42116.patch new file mode 100644 index 0000000..cb22cd7 --- /dev/null +++ b/debian/patches/CVE-2023-42116.patch @@ -0,0 +1,26 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 1 Oct 2023 10:16:05 +0200 +Subject: CVE-2023-42116 + +Upstream-Bug: 3000 + +Originally created by Jeremy Harris. +--- + src/auths/auth-spa.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c +index dea6a89..ae8da9c 100644 +--- a/src/auths/auth-spa.c ++++ b/src/auths/auth-spa.c +@@ -1223,7 +1223,9 @@ char versionString[] = "libntlm version 0.21"; + + #define spa_bytes_add(ptr, header, buf, count) \ + { \ +-if (buf != NULL && count != 0) /* we hate -Wint-in-bool-contex */ \ ++if ( buf && (count) != 0 /* we hate -Wint-in-bool-contex */ \ ++ && ptr->bufIndex + count < sizeof(ptr->buffer) \ ++ ) \ + { \ + SSVAL(&ptr->header.len,0,count); \ + SSVAL(&ptr->header.maxlen,0,count); \ diff --git a/debian/patches/series b/debian/patches/series index 39c0ea5..bab606e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -59,3 +59,6 @@ 84_29-Fix-BDAT-issue-for-body-w-o-trailing-CRLF-again-Bug-.patch 90_localscan_dlopen.dpatch CVE-2022-37452.patch +use-uschar-more-in-spa-authenticator.patch +CVE-2023-42116.patch +CVE-2023-42114.patch diff --git a/debian/patches/use-uschar-more-in-spa-authenticator.patch b/debian/patches/use-uschar-more-in-spa-authenticator.patch new file mode 100644 index 0000000..3ffafca --- /dev/null +++ b/debian/patches/use-uschar-more-in-spa-authenticator.patch @@ -0,0 +1,227 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 1 Oct 2023 10:56:15 +0200 +Subject: use uschar more in spa authenticator + +Originally created by Jermey Harris. Part of the patch series to fix +CVE-2023-42114 and CVE-2023-42116. +--- + src/auths/auth-spa.c | 70 +++++++++++++++++++++++++++------------------------- + src/auths/auth-spa.h | 8 +++--- + src/auths/spa.c | 13 +++++----- + 3 files changed, 46 insertions(+), 45 deletions(-) + +diff --git a/src/auths/auth-spa.c b/src/auths/auth-spa.c +index d2c95c3..dea6a89 100644 +--- a/src/auths/auth-spa.c ++++ b/src/auths/auth-spa.c +@@ -153,6 +153,9 @@ int main (int argc, char ** argv) + up with a different answer to the one above) + */ + ++#ifndef MACRO_PREDEF ++ ++ + #define DEBUG_X(a,b) ; + + extern int DEBUGLEVEL; +@@ -1238,21 +1241,21 @@ else \ + + #define spa_string_add(ptr, header, string) \ + { \ +-char *p = string; \ ++uschar * p = string; \ + int len = 0; \ +-if (p) len = strlen(p); \ +-spa_bytes_add(ptr, header, (US p), len); \ ++if (p) len = Ustrlen(p); \ ++spa_bytes_add(ptr, header, p, len); \ + } + + #define spa_unicode_add_string(ptr, header, string) \ + { \ +-char *p = string; \ +-uschar *b = NULL; \ ++uschar * p = string; \ ++uschar * b = NULL; \ + int len = 0; \ + if (p) \ + { \ +- len = strlen(p); \ +- b = strToUnicode(p); \ ++ len = Ustrlen(p); \ ++ b = US strToUnicode(CS p); \ + } \ + spa_bytes_add(ptr, header, b, len*2); \ + } +@@ -1375,10 +1378,10 @@ dumpSmbNtlmAuthResponse (FILE * fp, SPAAuthResponse * response) + #endif + + void +-spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain) ++spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain) + { +- char *u = strdup (user); +- char *p = strchr (u, '@'); ++ uschar * u = string_copy(user); ++ uschar * p = Ustrchr(u, '@'); + + if (p) + { +@@ -1393,7 +1396,6 @@ spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain) + SIVAL (&request->flags, 0, 0x0000b207); /* have to figure out what these mean */ + spa_string_add (request, user, u); + spa_string_add (request, domain, domain); +- free (u); + } + + +@@ -1485,16 +1487,16 @@ spa_build_auth_response (SPAAuthChallenge * challenge, + + void + spa_build_auth_response (SPAAuthChallenge * challenge, +- SPAAuthResponse * response, char *user, +- char *password) ++ SPAAuthResponse * response, uschar * user, ++ uschar * password) + { + uint8x lmRespData[24]; + uint8x ntRespData[24]; + uint32x cf = IVAL(&challenge->flags, 0); +- char *u = strdup (user); +- char *p = strchr (u, '@'); +- char *d = NULL; +- char *domain; ++ uschar * u = string_copy(user); ++ uschar * p = Ustrchr(u, '@'); ++ uschar * d = NULL; ++ uschar * domain; + + if (p) + { +@@ -1502,33 +1504,33 @@ spa_build_auth_response (SPAAuthChallenge * challenge, + *p = '\0'; + } + +- else domain = d = strdup((cf & 0x1)? +- CCS GetUnicodeString(challenge, uDomain) : +- CCS GetString(challenge, uDomain)); ++ else domain = d = string_copy(cf & 0x1 ++ ? CUS GetUnicodeString(challenge, uDomain) ++ : CUS GetString(challenge, uDomain)); + +- spa_smb_encrypt (US password, challenge->challengeData, lmRespData); +- spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData); ++ spa_smb_encrypt(password, challenge->challengeData, lmRespData); ++ spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); + + response->bufIndex = 0; + memcpy (response->ident, "NTLMSSP\0\0\0", 8); + SIVAL (&response->msgType, 0, 3); + +- spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0); +- spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0); ++ spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0); ++ spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0); + + if (cf & 0x1) { /* Unicode Text */ +- spa_unicode_add_string (response, uDomain, domain); +- spa_unicode_add_string (response, uUser, u); +- spa_unicode_add_string (response, uWks, u); ++ spa_unicode_add_string(response, uDomain, domain); ++ spa_unicode_add_string(response, uUser, u); ++ spa_unicode_add_string(response, uWks, u); + } else { /* OEM Text */ +- spa_string_add (response, uDomain, domain); +- spa_string_add (response, uUser, u); +- spa_string_add (response, uWks, u); ++ spa_string_add(response, uDomain, domain); ++ spa_string_add(response, uUser, u); ++ spa_string_add(response, uWks, u); + } + +- spa_string_add (response, sessionKey, NULL); ++ spa_string_add(response, sessionKey, NULL); + response->flags = challenge->flags; +- +- if (d != NULL) free (d); +- free (u); + } ++ ++ ++#endif /*!MACRO_PREDEF*/ +diff --git a/src/auths/auth-spa.h b/src/auths/auth-spa.h +index cfe1b08..3b0b3a9 100644 +--- a/src/auths/auth-spa.h ++++ b/src/auths/auth-spa.h +@@ -79,10 +79,10 @@ typedef struct + + void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); + int spa_base64_to_bits(char *, int, const char *); +-void spa_build_auth_response (SPAAuthChallenge *challenge, +- SPAAuthResponse *response, char *user, char *password); +-void spa_build_auth_request (SPAAuthRequest *request, char *user, +- char *domain); ++void spa_build_auth_response (SPAAuthChallenge * challenge, ++ SPAAuthResponse * response, uschar * user, uschar * password); ++void spa_build_auth_request (SPAAuthRequest * request, uschar * user, ++ uschar * domain); + extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8, + unsigned char * p24); + extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8, +diff --git a/src/auths/spa.c b/src/auths/spa.c +index 4e3aef8..ff77cc5 100644 +--- a/src/auths/spa.c ++++ b/src/auths/spa.c +@@ -294,14 +294,13 @@ SPAAuthRequest request; + SPAAuthChallenge challenge; + SPAAuthResponse response; + char msgbuf[2048]; +-char *domain = NULL; +-char *username, *password; ++uschar * domain = NULL, * username, * password; + + /* Code added by PH to expand the options */ + + *buffer = 0; /* Default no message when cancelled */ + +-if (!(username = CS expand_string(ob->spa_username))) ++if (!(username = expand_string(ob->spa_username))) + { + if (f.expand_string_forcedfail) return CANCELLED; + string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " +@@ -310,7 +309,7 @@ if (!(username = CS expand_string(ob->spa_username))) + return ERROR; + } + +-if (!(password = CS expand_string(ob->spa_password))) ++if (!(password = expand_string(ob->spa_password))) + { + if (f.expand_string_forcedfail) return CANCELLED; + string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " +@@ -320,7 +319,7 @@ if (!(password = CS expand_string(ob->spa_password))) + } + + if (ob->spa_domain) +- if (!(domain = CS expand_string(ob->spa_domain))) ++ if (!(domain = expand_string(ob->spa_domain))) + { + if (f.expand_string_forcedfail) return CANCELLED; + string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " +@@ -340,7 +339,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) + + DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain); + +-spa_build_auth_request (&request, CS username, domain); ++spa_build_auth_request(&request, username, domain); + spa_bits_to_base64 (US msgbuf, (unsigned char*)&request, + spa_request_length(&request)); + +@@ -358,7 +357,7 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout)) + DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4); + spa_base64_to_bits (CS (&challenge), sizeof(challenge), CCS (buffer + 4)); + +-spa_build_auth_response (&challenge, &response, CS username, CS password); ++spa_build_auth_response(&challenge, &response, username, password); + spa_bits_to_base64 (US msgbuf, (unsigned char*)&response, + spa_request_length(&response)); + DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf); |