diff options
-rw-r--r-- | debian/changelog | 8 | ||||
-rwxr-xr-x[-rw-r--r--] | debian/minimaltest | 0 | ||||
-rw-r--r-- | debian/patches/CVE-2022-37452.patch | 61 | ||||
-rw-r--r-- | debian/patches/series | 1 |
4 files changed, 70 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index a62c7b6..981a8c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +exim4 (4.92-8+deb10u7) buster-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * CVE-2022-37452: heap-based buffer overflow for the alias list in + host_name_lookup in host.c when sender_host_name is set. + + -- Sylvain Beucler <beuc@debian.org> Wed, 24 Aug 2022 18:23:44 +0200 + exim4 (4.92-8+deb10u6progress5u1) engywuck; urgency=high * Initial reupload to engywuck. diff --git a/debian/minimaltest b/debian/minimaltest index 97f5ccb..97f5ccb 100644..100755 --- a/debian/minimaltest +++ b/debian/minimaltest diff --git a/debian/patches/CVE-2022-37452.patch b/debian/patches/CVE-2022-37452.patch new file mode 100644 index 0000000..b604e0f --- /dev/null +++ b/debian/patches/CVE-2022-37452.patch @@ -0,0 +1,61 @@ +From 20812729e3e47a193a21d326ecd036d67a8b2724 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sun, 16 May 2021 19:11:19 +0200 +Subject: [PATCH] Fix host_name_lookup (Close 2747) + +Thanks to Nico R for providing a reproducing configuration. + + host_lookup = * + message_size_limit = ${if def:sender_host_name {32M}{32M}} + acl_smtp_connect = acl_smtp_connect + acl_smtp_rcpt = acl_smtp_rcpt + + begin acl + acl_smtp_connect: + warn ratelimit = 256 / 1m / per_conn + accept + + acl_smtp_rcpt: + accept hosts = 127.0.0.* + + begin routers + null: + driver = accept + transport = null + + begin transports + null: + driver = appendfile + file = /dev/null + +Tested with + + swaks -f mailbox@example.org -t mailbox@example.org --pipe 'exim -bh 127.0.0.1 -C /opt/exim/etc/exim-bug.conf' + +The IP must have a PTR to "localhost." to reproduce it. +--- + src/host.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: exim4-4.92/src/host.c +=================================================================== +--- exim4-4.92.orig/src/host.c ++++ exim4-4.92/src/host.c +@@ -1593,7 +1593,7 @@ while (*s != 0) *t++ = tolower(*s++); + + if (hosts->h_aliases != NULL) + { +- int count = 1; ++ int count = 1; /* need 1 more for terminating NULL */ + uschar **aliases, **ptr; + for (aliases = USS hosts->h_aliases; *aliases != NULL; aliases++) count++; + ptr = sender_host_aliases = store_get_perm(count * sizeof(uschar *)); +@@ -1703,7 +1703,7 @@ while ((ordername = string_nextinlist(&l + { + uschar **aptr = NULL; + int ssize = 264; +- int count = 0; ++ int count = 1; /* need 1 more for terminating NULL */ + int old_pool = store_pool; + + sender_host_dnssec = dns_is_secure(&dnsa); diff --git a/debian/patches/series b/debian/patches/series index e448ccf..39c0ea5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -58,3 +58,4 @@ 84_27-testsuite-adjustments-for-CVE-2020-28014-CVE-2021-27.patch 84_29-Fix-BDAT-issue-for-body-w-o-trailing-CRLF-again-Bug-.patch 90_localscan_dlopen.dpatch +CVE-2022-37452.patch |