From d5eb37dd4a5a433c40c3c1e7ead424add62663f8 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 02:47:27 +0200 Subject: Adding debian version 4.92-8+deb10u6. Signed-off-by: Daniel Baumann --- .../75_10-Harden-plaintext-authenticator.patch | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 debian/patches/75_10-Harden-plaintext-authenticator.patch (limited to 'debian/patches/75_10-Harden-plaintext-authenticator.patch') diff --git a/debian/patches/75_10-Harden-plaintext-authenticator.patch b/debian/patches/75_10-Harden-plaintext-authenticator.patch new file mode 100644 index 0000000..9dcfd47 --- /dev/null +++ b/debian/patches/75_10-Harden-plaintext-authenticator.patch @@ -0,0 +1,55 @@ +From e5b942ae007d0533fbd599c64d550f3a8355b940 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 21 Mar 2019 20:01:03 +0000 +Subject: [PATCH] Harden plaintext authenticator + +Cherry-picked from: f9fc942757 +--- + doc/ChangeLog | 5 +++++ + src/auths/plaintext.c | 6 +----- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/doc/ChangeLog b/doc/ChangeLog +index 3d63725f..c34e60d1 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -32,10 +32,15 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was + used both for input and for a verify callout, both encrypted, SMTP + responses being sent by the server could be lost. This resulted in + dropped connections and sometimes bounces generated by a peer sending + to this system. + ++JH/11 Harden plaintext authenticator against a badly misconfigured client-send ++ string. Previously it was possible to cause undefined behaviour in a ++ library routine (usually a crash). Found by "zerons". ++ ++ + + Exim version 4.92 + ----------------- + + JH/01 Remove code calling the customisable local_scan function, unless a new +diff --git a/src/auths/plaintext.c b/src/auths/plaintext.c +index 7a0f7885..fa05b0ad 100644 +--- a/src/auths/plaintext.c ++++ b/src/auths/plaintext.c +@@ -221,15 +221,11 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size))) + for (i = 0; i < len; i++) + if (ss[i] == '^') + if (ss[i+1] != '^') + ss[i] = 0; + else +- { +- i++; +- len--; +- memmove(ss + i, ss + i + 1, len - i); +- } ++ if (--len > ++i) memmove(ss + i, ss + i + 1, len - i); + + /* The first string is attached to the AUTH command; others are sent + unembellished. */ + + if (first) +-- +2.20.1 + -- cgit v1.2.3