exim.git
2 years agoMerge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn exim-4.94.2+taintwarn github/exim-4.94.2+taintwarn
Heiko Schlittermann (HS12-RIPE) [Mon, 30 Aug 2021 21:31:40 +0000 (23:31 +0200)]
Merge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn

2 years agotestsuite: 4520 swapped output lines
Heiko Schlittermann (HS12-RIPE) [Mon, 30 Aug 2021 21:12:53 +0000 (23:12 +0200)]
testsuite: 4520 swapped output lines

2 years agoDKIM: fix verify under TLS & chunking, with pipelined next command
Jeremy Harris [Wed, 11 Aug 2021 12:08:43 +0000 (13:08 +0100)]
DKIM: fix verify under TLS & chunking, with pipelined next command

Cherry-picked from: b367453a08

2 years agoTestsuite: testcases for DKIM under TLS
Jeremy Harris [Tue, 10 Aug 2021 16:36:03 +0000 (17:36 +0100)]
Testsuite: testcases for DKIM under TLS

(cherry picked from commit 15a44d749b2f4097d43c2d887b6c5bca2d0d8b4a)

2 years agoTestsuite: testcase shuffling
Jeremy Harris [Tue, 10 Aug 2021 14:24:48 +0000 (15:24 +0100)]
Testsuite: testcase shuffling

(cherry picked from commit 5078e5337323159ff8c293e7ae335a974fd0371e)

2 years agoFix tainted message for fakereject
Jeremy Harris [Wed, 7 Jul 2021 21:19:07 +0000 (22:19 +0100)]
Fix tainted message for fakereject

(cherry picked from commit a9ac2d7fc219e41a353abf1f599258b9b9d21b7e)

2 years agoMerge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn
Heiko Schlittermann (HS12-RIPE) [Mon, 17 May 2021 10:07:39 +0000 (12:07 +0200)]
Merge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn

(Closes 2747)

2 years agoFix host_name_lookup (Close 2747)
Heiko Schlittermann (HS12-RIPE) [Sun, 16 May 2021 17:11:19 +0000 (19:11 +0200)]
Fix host_name_lookup (Close 2747)

Thanks to Nico R for providing a reproducing configuration.

        host_lookup             = *
        message_size_limit      = ${if def:sender_host_name {32M}{32M}}
        acl_smtp_connect        = acl_smtp_connect
        acl_smtp_rcpt           = acl_smtp_rcpt

        begin acl
          acl_smtp_connect:
                warn ratelimit = 256 / 1m / per_conn
                accept

          acl_smtp_rcpt:
                accept hosts = 127.0.0.*

        begin routers
        null:
          driver          = accept
          transport       = null

        begin transports
        null:
          driver          = appendfile
          file            = /dev/null

Tested with

        swaks -f mailbox@example.org -t mailbox@example.org --pipe 'exim -bh 127.0.0.1 -C /opt/exim/etc/exim-bug.conf'

The IP must have a PTR to "localhost." to reproduce it.

2 years agoMerge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn
Heiko Schlittermann (HS12-RIPE) [Sat, 15 May 2021 11:44:40 +0000 (13:44 +0200)]
Merge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn

2 years agoFix logging with build-time config and empty elements (Closes 2733)
Heiko Schlittermann (HS12-RIPE) [Sat, 15 May 2021 11:40:46 +0000 (13:40 +0200)]
Fix logging with build-time config and empty elements (Closes 2733)

2 years agoFix logging with empty element in log_file_path (Bug 2733)
Jeremy Harris [Sat, 15 May 2021 11:37:04 +0000 (13:37 +0200)]
Fix logging with empty element in log_file_path (Bug 2733)

2 years agoMerge branch 'exim-4.94+fixes' into exim-4.94.2+fixes
Heiko Schlittermann (HS12-RIPE) [Thu, 13 May 2021 06:31:37 +0000 (08:31 +0200)]
Merge branch 'exim-4.94+fixes' into exim-4.94.2+fixes

How to make sure that cherry-picking to a +fixes branch goes to the
*latest* +fixes branch?

2 years agoNamed Queues: fix immediate-delivery. Bug 2743
Jeremy Harris [Wed, 12 May 2021 14:01:12 +0000 (15:01 +0100)]
Named Queues: fix immediate-delivery.  Bug 2743

(cherry picked from commit 159cf206c97f876b07829d92db2217689745c1e8)

2 years agoMerge branch 'exim-4.94+fixes' into exim-4.94.2+fixes
Heiko Schlittermann (HS12-RIPE) [Sun, 9 May 2021 09:26:03 +0000 (11:26 +0200)]
Merge branch 'exim-4.94+fixes' into exim-4.94.2+fixes

2 years agoMerge branch 'exim-4.94+fixes' of ssh://git.exim.org/home/git/exim into exim-4.94...
Heiko Schlittermann (HS12-RIPE) [Sun, 9 May 2021 09:25:09 +0000 (11:25 +0200)]
Merge branch 'exim-4.94+fixes' of ssh://git.exim.org/home/git/exim into exim-4.94+fixes

2 years agoFix ${ipv6norm:}
Jeremy Harris [Tue, 4 May 2021 12:06:31 +0000 (13:06 +0100)]
Fix ${ipv6norm:}

(cherry picked from commit 8b4b6ac90766b11fa74fa3001778b49456adbe42)

2 years agoMerge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn
Heiko Schlittermann (HS12-RIPE) [Mon, 3 May 2021 14:00:38 +0000 (16:00 +0200)]
Merge branch 'exim-4.94.2+fixes' into exim-4.94.2+taintwarn

2 years agoFix DANE + SNI handling (Bug 2265)
Heiko Schlittermann (HS12-RIPE) [Mon, 3 May 2021 13:53:28 +0000 (15:53 +0200)]
Fix DANE + SNI handling (Bug 2265)

Broken in d8e99d6047e709b35eabb1395c2046100d1a1dda
Thanks to JGH and Wolfgang Breyha for contributions.

2 years agoMerge tag 'exim-4.94.2' into exim-4.94.1+taintwarn
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Apr 2021 14:47:26 +0000 (16:47 +0200)]
Merge tag 'exim-4.94.2' into exim-4.94.1+taintwarn

Bugfix for previous security release

2 years agoFix BDAT issue for body w/o trailing CRLF (again Bug 1974) exim-4.94.2
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Apr 2021 08:47:45 +0000 (10:47 +0200)]
Fix BDAT issue for body w/o trailing CRLF (again Bug 1974)

2 years agotestsuite: reproduce BDAT with missing eol (Bug 1974)
Heiko Schlittermann (HS12-RIPE) [Thu, 29 Apr 2021 22:37:53 +0000 (00:37 +0200)]
testsuite: reproduce BDAT with missing eol (Bug 1974)

3 years agoMerge tag 'exim-4.94.1' into exim-4.94+fixes+taintwarn
Heiko Schlittermann (HS12-RIPE) [Wed, 28 Apr 2021 18:37:34 +0000 (20:37 +0200)]
Merge tag 'exim-4.94.1' into exim-4.94+fixes+taintwarn

Security release 4.94.1 (+fixes +qualys)

3 years agoCleanup docs on cve-2020-qualys, point to the Exim website exim-4.94.1
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 16:54:28 +0000 (18:54 +0200)]
Cleanup docs on cve-2020-qualys, point to the Exim website

3 years agorewrite: revert to unchecked result of parse_extract_address()
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 14:16:49 +0000 (16:16 +0200)]
rewrite: revert to unchecked result of parse_extract_address()

Now it breaks 471, and overlong addresses won't make it into the rewrite
process, as they are handled as empty.

3 years agoHonour the outcome of parse_extract_address(), testsuite 471
Heiko Schlittermann (HS12-RIPE) [Mon, 19 Apr 2021 20:23:14 +0000 (22:23 +0200)]
Honour the outcome of parse_extract_address(), testsuite 471

3 years agoCVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
Qualys Security Advisory [Mon, 22 Feb 2021 03:11:55 +0000 (19:11 -0800)]
CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()

Extracted from Jeremy Harris's commit afaf5a50.

3 years agoRemove merge artifact
Heiko Schlittermann (HS12-RIPE) [Wed, 21 Apr 2021 07:09:13 +0000 (09:09 +0200)]
Remove merge artifact

3 years agoUpdate upgrade notes and source about use of seteuid()
Heiko Schlittermann (HS12-RIPE) [Wed, 21 Apr 2021 05:52:39 +0000 (07:52 +0200)]
Update upgrade notes and source about use of seteuid()

(cherry picked from commit bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb)

3 years agoCVE-2020-28007: Link attack in Exim's log directory
Qualys Security Advisory [Tue, 23 Feb 2021 16:33:03 +0000 (08:33 -0800)]
CVE-2020-28007: Link attack in Exim's log directory

We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!

This patch also fixes:

- a NULL-pointer dereference in usr1_handler() (this signal handler is
  installed before process_log_path is initialized);

- a file-descriptor leak in dmarc_write_history_file() (two return paths
  did not close history_file_fd).

Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."

(cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd)

3 years agoCVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)]
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()

Based on Phil Pennock's commit 76a1ce77.
Modified by Qualys.

(cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b)

3 years agoSECURITY: Avoid modification of constant data in dkim handling
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:59:25 +0000 (22:59 +0200)]
SECURITY: Avoid modification of constant data in dkim handling

Based on Heiko Schlittermann's commits f880c7f3 and c118c7f4. This
fixes:

6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
with a global orig_data and hence canon_data, and the following line can
therefore modify data that should be constant:

 773   canon_data->len = b->bodylength - b->signed_body_bytes;

For example, the following proof of concept sets lineending.len to 0
(this should not be possible):

(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25

(gdb) print lineending
$1 = {data = 0x55e18035b2ad "\r\n", len = 2}
(gdb) print &lineending.len
$3 = (size_t *) 0x55e180385948 <lineending+8>
(gdb) watch *(size_t *) 0x55e180385948

Hardware watchpoint 1: *(size_t *) 0x55e180385948
Old value = 2
New value = 0
(gdb) print lineending
$5 = {data = 0x55e18035b2ad "\r\n", len = 0}

(cherry picked from commit 92359a62a0e31734ad8069c66f64b37f9eaaccbe)

3 years agoSECURITY: Leave a clean smtp_out input buffer even in case of read error
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:48:06 +0000 (22:48 +0200)]
SECURITY: Leave a clean smtp_out input buffer even in case of read error

Based on Heiko Schlittermann's commit 54895bc3. This fixes:

7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.

(cherry picked from commit 30f5d98786fb4e6ccfdd112fe65c153f0ee34c5f)

3 years agoSECURITY: Always exit when LOG_PANIC_DIE is set
Qualys Security Advisory [Mon, 22 Feb 2021 06:09:06 +0000 (22:09 -0800)]
SECURITY: Always exit when LOG_PANIC_DIE is set

(cherry picked from commit e20aa895b37f449d5c81c3e7b102fc534b5d23ba)

3 years agoCVE-2020-28012: Missing close-on-exec flag for privileged pipe
Qualys Security Advisory [Mon, 22 Feb 2021 05:53:55 +0000 (21:53 -0800)]
CVE-2020-28012: Missing close-on-exec flag for privileged pipe

(cherry picked from commit 72dad1e64bb3d1ff387938f59678098cab1f60a3)

3 years agoCVE-2020-28024: Heap buffer underflow in smtp_ungetc()
Qualys Security Advisory [Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)]
CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

(cherry picked from commit 998e5a9db121c3eff15cac16859bdffd7adcbe57)

3 years agoCVE-2020-28009: Integer overflow in get_stdinput()
Qualys Security Advisory [Mon, 22 Feb 2021 05:45:19 +0000 (21:45 -0800)]
CVE-2020-28009: Integer overflow in get_stdinput()

(cherry picked from commit bbf1bb10bee5a1d7cbcc97f178b348189219eb7d)

3 years agoCVE-2020-28015+28021: New-line injection into spool header file
Qualys Security Advisory [Mon, 22 Feb 2021 05:26:53 +0000 (21:26 -0800)]
CVE-2020-28015+28021: New-line injection into spool header file

(cherry picked from commit 31b1a42d0bd29cb05f85e56d3343b13bef20a2bd)

3 years agoCVE-2020-28026: Line truncation and injection in spool_read_header()
Heiko Schlittermann (HS12-RIPE) [Tue, 30 Mar 2021 20:03:49 +0000 (22:03 +0200)]
CVE-2020-28026: Line truncation and injection in spool_read_header()

This also fixes:

2/ In src/spool_in.c:

 462   while (  (len = Ustrlen(big_buffer)) == big_buffer_size-1
 463         && big_buffer[len-1] != '\n'
 464         )
 465     {   /* buffer not big enough for line; certs make this possible */
 466     uschar * buf;
 467     if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
 468     buf = store_get_perm(big_buffer_size *= 2, FALSE);
 469     memcpy(buf, big_buffer, --len);

The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).

Based on a patch done by Qualys.

(cherry picked from commit f0c307458e1ee81abbe7ed2d4a8d16b5cbd8a799)

3 years agoCVE-2020-28022: Heap out-of-bounds read and write in extract_option()
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:12:02 +0000 (23:12 +0200)]
CVE-2020-28022: Heap out-of-bounds read and write in extract_option()

Based on Phil Pennock's commit c5017adf.

(cherry picked from commit 9e941e1807b624b255c9ec0f41a0b3a89e144de3)

3 years agoCVE-2020-28017: Integer overflow in receive_add_recipient()
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:05:58 +0000 (23:05 +0200)]
CVE-2020-28017: Integer overflow in receive_add_recipient()

Based on Phil Pennock's commit e3b441f7.

(cherry picked from commit 18a19e18242edc5ab2082fa9c41cd6210d1b6087)

3 years agoSECURITY: Refuse negative and large store allocations
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 21:02:34 +0000 (23:02 +0200)]
SECURITY: Refuse negative and large store allocations

Based on Phil Pennock's commits b34d3046 and e6c1606a.  Done by Qualys.

(cherry picked from commit 09d36bd64fc5bf71d8882af35c41ac4e8599acc1)

3 years agoCVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 20:44:47 +0000 (22:44 +0200)]
CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()

Based on Phil Pennock's 8a50c88a, done by Qualys

(cherry picked from commit 8161c16ec7320ac6164954bade23179a0ed095eb)

3 years agoCVE-2020-28011: Heap buffer overflow in queue_run()
Qualys Security Advisory [Mon, 22 Feb 2021 03:22:33 +0000 (19:22 -0800)]
CVE-2020-28011: Heap buffer overflow in queue_run()

(cherry picked from commit 6e1fb878e95f8e6f838ffde5258c7a969c981865)

3 years agoCVE-2020-28010: Heap out-of-bounds write in main()
Heiko Schlittermann (HS12-RIPE) [Mon, 29 Mar 2021 20:16:28 +0000 (22:16 +0200)]
CVE-2020-28010: Heap out-of-bounds write in main()

Based on Phil Pennock's 0f57feb4. Done by Qualys, modified by me.

(cherry picked from commit b0982c2776048948ebae48574b70fa487684cb8c)

3 years agoCVE-2020-28018: Use-after-free in tls-openssl.c
Qualys Security Advisory [Mon, 22 Feb 2021 03:05:56 +0000 (19:05 -0800)]
CVE-2020-28018: Use-after-free in tls-openssl.c

(cherry picked from commit 6290686dd59d8158d100c67e8f96df27158a6fc5)

3 years agoCVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
Qualys Security Advisory [Mon, 22 Feb 2021 02:54:16 +0000 (18:54 -0800)]
CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

(cherry picked from commit cad30cd3fb96196e908e0d66b1b45fdf377c850c)

3 years agoCVE-2020-28014, CVE-2021-27216: PID file handling
Heiko Schlittermann (HS12-RIPE) [Thu, 25 Mar 2021 21:48:09 +0000 (22:48 +0100)]
CVE-2020-28014, CVE-2021-27216: PID file handling

Arbitrary PID file creation, clobbering, and deletion.
Patch provided by Qualys.

(cherry picked from commit 974f32939a922512b27d9f0a8a1cb5dec60e7d37)

3 years agoAdd priv.c: reworked version of priv dropping code
Heiko Schlittermann (HS12-RIPE) [Wed, 10 Mar 2021 22:37:29 +0000 (23:37 +0100)]
Add priv.c: reworked version of priv dropping code

(cherry picked from commit 82b545236e6dc82b7af34528c532811bfc74ea19)

3 years agoCVE-2020-28008: Assorted attacks in Exim's spool directory
Heiko Schlittermann (HS12-RIPE) [Sun, 14 Mar 2021 11:16:57 +0000 (12:16 +0100)]
CVE-2020-28008: Assorted attacks in Exim's spool directory

We patch dbfn_open() by introducing two functions priv_drop_temp() and
priv_restore() (inspired by OpenSSH's functions temporarily_use_uid()
and restore_uid()), which temporarily drop and restore root privileges
thanks to seteuid(). This goes against Exim's developers' wishes ("Exim
(the project) doesn't trust seteuid to work reliably") but, to the best
of our knowledge, seteuid() works everywhere and is the only way to
securely fix dbfn_open().

(cherry picked from commit 18da59151dbafa89be61c63580bdb295db36e374)

3 years agoCVE-2020-28019: Failure to reset function pointer after BDAT error
Jeremy Harris [Thu, 4 Mar 2021 21:19:08 +0000 (22:19 +0100)]
CVE-2020-28019: Failure to reset function pointer after BDAT error

Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy
Harris's commits aa171254 and 9aceb5c2.

(cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f)

3 years agoSECURITY: smtp_out: Leave a clean input buffer, even in case of read error
Heiko Schlittermann (HS12-RIPE) [Wed, 2 Dec 2020 21:28:02 +0000 (22:28 +0100)]
SECURITY: smtp_out: Leave a clean input buffer, even in case of read error

Credits: Qualys

  7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
  when -1 is returned. This does not seem to have bad consequences, but is
  maybe not the intended behavior.

(cherry picked from commit f7ac5a7d1e817bf60f161e7a1d40b65d66da607f)

3 years agoSECURITY: Avoid modification of constant data
Heiko Schlittermann (HS12-RIPE) [Thu, 26 Nov 2020 17:16:59 +0000 (18:16 +0100)]
SECURITY: Avoid modification of constant data

Credits: Qualys

    6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
    with a global orig_data and hence canon_data, and the following line can
    therefore modify data that should be constant:

     773   canon_data->len = b->bodylength - b->signed_body_bytes;

    For example, the following proof of concept sets lineending.len to 0
    (this should not be possible):

    (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25

    (gdb) print lineending
    $1 = {data = 0x55e18035b2ad "\r\n", len = 2}
    (gdb) print &lineending.len
    $3 = (size_t *) 0x55e180385948 <lineending+8>
    (gdb) watch *(size_t *) 0x55e180385948

    Hardware watchpoint 1: *(size_t *) 0x55e180385948
    Old value = 2
    New value = 0
    (gdb) print lineending
    $5 = {data = 0x55e18035b2ad "\r\n", len = 0}

(cherry picked from commit 9fce76f56459dde7489eb21ce1ff822e04e10f43)

3 years agoSECURITY: Avoid memory corruption in dkim handling
Heiko Schlittermann (HS12-RIPE) [Wed, 25 Nov 2020 22:19:57 +0000 (23:19 +0100)]
SECURITY: Avoid memory corruption in dkim handling

Credits: Qualys

    6/ In src/pdkim/pdkim.c, pdkim_update_ctx_bodyhash() is sometimes called
    with a global orig_data and hence canon_data, and the following line can
    therefore modify data that should be constant:

     773   canon_data->len = b->bodylength - b->signed_body_bytes;

    For example, the following proof of concept sets lineending.len to 0
    (this should not be possible):

    (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; date >&2; sleep 30; printf 'DKIM-Signature:a=rsa-sha1;c=simple/simple;l=0\r\n\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25

    (gdb) print lineending
    $1 = {data = 0x55e18035b2ad "\r\n", len = 2}
    (gdb) print &lineending.len
    $3 = (size_t *) 0x55e180385948 <lineending+8>
    (gdb) watch *(size_t *) 0x55e180385948

    Hardware watchpoint 1: *(size_t *) 0x55e180385948
    Old value = 2
    New value = 0
    (gdb) print lineending
    $5 = {data = 0x55e18035b2ad "\r\n", len = 0}

(cherry picked from commit ea850e27714ccda2090d781ebe89b410bc38c2c6)

3 years agoSECURITY: Avoid decrement of dkim_collect_input if already at 0
Heiko Schlittermann (HS12-RIPE) [Wed, 25 Nov 2020 21:58:58 +0000 (22:58 +0100)]
SECURITY: Avoid decrement of dkim_collect_input if already at 0

Credits: Qualys

    5/ receive_msg() calls dkim_exim_verify_finish(), which sets
    dkim_collect_input to 0 and calls pdkim_feed_finish(), which calls
    pdkim_header_complete(), which decreases dkim_collect_input to UINT_MAX,
    which reactivates the DKIM code.

    As a result, pdkim_feed() is called again (through receive_getc at the
    end of receive_msg()), but functions like pdkim_finish_bodyhash() and
    exim_sha_finish() have already been called (in pdkim_feed_finish()).
    This suggests a use-after-free.

    But it seems that a use-after-free would happen only with
    EVP_DigestFinal() (in exim_sha_finish()), which does not seem to be
    reachable via DKIM (no SHA3). But we checked OpenSSL only, not GnuTLS.

    Here is a proof of concept that triggers the bug (which came very close
    to a security vulnerability):

    (sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'BDAT 42 LAST'; date >&2; sleep 30; printf 'not a valid header line\r\nDKIM-Signature:\r\nXXX'; sleep 30) | nc -n -v 192.168.56.102 25

    (gdb) print &dkim_collect_input
    $2 = (unsigned int *) 0x55e180386d90 <dkim_collect_input>
    (gdb) watch *(unsigned int *) 0x55e180386d90

    Hardware watchpoint 1: *(unsigned int *) 0x55e180386d90
    Old value = 0
    New value = 4294967295
    #0  0x000055e18031f805 in pdkim_header_complete (ctx=ctx@entry=0x55e181b9e8e0) at pdkim.c:1006
    #1  0x000055e18032106c in pdkim_feed_finish (ctx=0x55e181b9e8e0, return_signatures=0x55e180386d78 <dkim_signatures>, err=err@entry=0x7ffe443e1d00) at pdkim.c:1490
    #2  0x000055e1802a3280 in dkim_exim_verify_finish () at dkim.c:328
    #3  0x000055e1802c9d1d in receive_msg (extract_recip=extract_recip@entry=0) at receive.c:3409

(cherry picked from commit e3674091056ac05eb7ef1c504accce790c434bd7)

3 years agoSECURITY: Check overrun rcpt_count integer
Heiko Schlittermann (HS12-RIPE) [Wed, 25 Nov 2020 21:26:53 +0000 (22:26 +0100)]
SECURITY: Check overrun rcpt_count integer

Credits: Qualys

    4/ In src/smtp_in.c:

    4966     case RCPT_CMD:
    4967       HAD(SCH_RCPT);
    4968       rcpt_count++;
    ....
    5123       if (rcpt_count > recipients_max && recipients_max > 0)

    In theory this recipients_max check can be bypassed, because the int
    rcpt_count can overflow (become negative). In practice this would either
    consume too much memory or generate too much network traffic, but maybe
    it should be fixed anyway.

(cherry picked from commit 04139ca809fbe56d8fe9c55a77640ea9fa93b8f1)

3 years agoSECURITY: Fix safeguard against upward traversal in msglog files.
Heiko Schlittermann (HS12-RIPE) [Sat, 21 Nov 2020 21:41:28 +0000 (22:41 +0100)]
SECURITY: Fix safeguard against upward traversal in msglog files.

Credits: Qualys

    3/ In src/deliver.c:

     333 static int
     334 open_msglog_file(uschar *filename, int mode, uschar **error)
     335 {
     336 if (Ustrstr(filename, US"/../"))
     337   log_write(0, LOG_MAIN|LOG_PANIC,
     338     "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);

    Should this be LOG_PANIC_DIE instead of LOG_PANIC? Right now it will log
    the /../ attempt but will open the file anyway.

(cherry picked from commit 742c27f02d83792937dcb1719b380d3dde6228bf)

3 years agoSECURITY: Don't miss the very last byte when reading long lines from -H
Heiko Schlittermann (HS12-RIPE) [Sat, 21 Nov 2020 21:18:56 +0000 (22:18 +0100)]
SECURITY: Don't miss the very last byte when reading long lines from -H

Credits: Qualys

    2/ In src/spool_in.c:

     462   while (  (len = Ustrlen(big_buffer)) == big_buffer_size-1
     463         && big_buffer[len-1] != '\n'
     464         )
     465     {   /* buffer not big enough for line; certs make this possible */
     466     uschar * buf;
     467     if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
     468     buf = store_get_perm(big_buffer_size *= 2, FALSE);
     469     memcpy(buf, big_buffer, --len);

    The --len in memcpy() chops off a useful byte (we know for sure that
    big_buffer[len-1] is not a '\n' because we entered the while loop).

(cherry picked from commit 58454ea01c2e817481770954edf09ad82f3cd417)

3 years agoSECURITY: off-by-one in smtp transport (read response)
Heiko Schlittermann (HS12-RIPE) [Sat, 21 Nov 2020 21:03:03 +0000 (22:03 +0100)]
SECURITY: off-by-one in smtp transport (read response)

Credits: Qualys

    1/ In src/transports/smtp.c:

    2281       int n = sizeof(sx->buffer);
    2282       uschar * rsp = sx->buffer;
    2283
    2284       if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
    2285         { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }

    This should probably be either:

    rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;

    or:

    rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;

    (not sure which) to avoid an off-by-one.

(cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)

3 years agoStart documenting the things we changed incompatibly.
Phil Pennock [Mon, 2 Nov 2020 07:39:38 +0000 (02:39 -0500)]
Start documenting the things we changed incompatibly.

(cherry picked from commit 8dad4da53bad2ed3b29fa6a3b9ef59bfec73dc0e)

3 years agoInline four often-called new functions
Phil Pennock [Mon, 2 Nov 2020 07:23:14 +0000 (02:23 -0500)]
Inline four often-called new functions

The BDAT state switchers should happen so often during SMTP reception that a
compiler hint to inline seems wise.

The length filter checks happen on every start-up, which for Exim is often
enough that I think an inline these is warranted too.

(cherry picked from commit 6e3d0e3f1c8228ef19a3d1ba61f131cef3172ceb)

3 years agoFixes for compilation
Jeremy Harris [Sat, 31 Oct 2020 14:36:55 +0000 (14:36 +0000)]
Fixes for compilation

(cherry picked from commit 85a90771a373aaaced64b92d7176a8a310490b9e)

3 years agoSECURITY: rework BDAT receive function handling
Phil Pennock [Fri, 30 Oct 2020 03:21:36 +0000 (23:21 -0400)]
SECURITY: rework BDAT receive function handling

(cherry picked from commit dd1b9b753bb7c42df2b8f48d726b82928b67940b)

3 years agoSECURITY: fix SMTP verb option parsing
Phil Pennock [Fri, 30 Oct 2020 02:40:59 +0000 (22:40 -0400)]
SECURITY: fix SMTP verb option parsing

A boundary case in looking for an opening quote before the closing quote could
walk off the front of the buffer.

(cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8)

3 years agoSECURITY: Avoid integer overflow on too many recipients
Phil Pennock [Fri, 30 Oct 2020 01:48:05 +0000 (21:48 -0400)]
SECURITY: Avoid integer overflow on too many recipients

(cherry picked from commit 323ff55e67b44e95f9d3cfaba155e385aa33c4bd)

3 years agoSECURITY: default recipients_max to 50,000
Phil Pennock [Fri, 30 Oct 2020 01:38:25 +0000 (21:38 -0400)]
SECURITY: default recipients_max to 50,000

A default of "unlimited" can have unfortunate consequences when people start
putting many millions of recipients on a message.

(cherry picked from commit 1d7780722a66cea8da5fa4ae0775e85d185fbf7e)

3 years agoSECURITY: a second negative store guard
Phil Pennock [Fri, 30 Oct 2020 01:30:04 +0000 (21:30 -0400)]
SECURITY: a second negative store guard

(cherry picked from commit 706864e934c70941ce7a327f97b7649a1e5f5556)

3 years agoSECURITY: refuse too small store allocations
Phil Pennock [Fri, 30 Oct 2020 00:49:49 +0000 (20:49 -0400)]
SECURITY: refuse too small store allocations

Negative sizes are definitely bad.
Optimistically, I'm saying that zero is bad too.  But perhaps we have something
doing that, expecting to be able to grow.  In which case we'll have to amend
this.

(cherry picked from commit 1c9afcec0043e2fb72607b2addb0613763705549)

3 years agoSECURITY: fix Qualys CVE-2020-PFPZA
Phil Pennock [Fri, 30 Oct 2020 00:42:40 +0000 (20:42 -0400)]
SECURITY: fix Qualys CVE-2020-PFPZA

(cherry picked from commit 29d7a8c25f182c91d5d30f124f9e296dce5c018e)

3 years agoSECURITY: fix Qualys CVE-2020-PFPSN
Phil Pennock [Thu, 29 Oct 2020 23:00:51 +0000 (19:00 -0400)]
SECURITY: fix Qualys CVE-2020-PFPSN

(cherry picked from commit 93b6044e1636404f3463f3e1113098742e295542)

3 years agoSECURITY: fix Qualys CVE-2020-SLCWD
Phil Pennock [Thu, 29 Oct 2020 15:47:58 +0000 (11:47 -0400)]
SECURITY: fix Qualys CVE-2020-SLCWD

(cherry picked from commit bf5f9d56fadf9be8d947f141d31f7e0e8fa63762)

3 years agoSECURITY: pick up more argv length checks
Phil Pennock [Thu, 29 Oct 2020 22:40:37 +0000 (18:40 -0400)]
SECURITY: pick up more argv length checks

(cherry picked from commit f28a6a502c7973d8844d11d4b0990d4b0359fb3f)

3 years agoSECURITY: length limits on many cmdline options
Phil Pennock [Thu, 29 Oct 2020 22:11:35 +0000 (18:11 -0400)]
SECURITY: length limits on many cmdline options

We'll also now abort upon, rather than silently truncate, a driver name
(router, transport, ACL, etc) encountered in the config which is longer than
the 64-char limit.

(cherry picked from commit ff8bef9ae2370db4a7873fe2ce573a607fe6999f)

3 years agoTestsuite: adjust 4520
Heiko Schlittermann (HS12-RIPE) [Mon, 26 Apr 2021 13:13:13 +0000 (15:13 +0200)]
Testsuite: adjust 4520

Now EACCESS makes it "up" to the logs. I'm not sure why we got ENOENT
before, as the errno is originated in src/dkim_transport.c, line 28

3 years agoDisable taintchecks for mkdir, this isn't part of 4.94
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 08:19:32 +0000 (10:19 +0200)]
Disable taintchecks for mkdir, this isn't part of 4.94

3 years agotestsuite: adjust 622 for taintwarn
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 08:17:57 +0000 (10:17 +0200)]
testsuite: adjust 622 for taintwarn

3 years agoSilence the compiler
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 16:58:35 +0000 (18:58 +0200)]
Silence the compiler

3 years agoDo not close the (main)_log, if we do not see a chance to open it again.
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 20:41:57 +0000 (22:41 +0200)]
Do not close the (main)_log, if we do not see a chance to open it again.

The process doing local deliveries runs as an unprivileged user. If this
process needs to log failures or warnings (as caused by the
is_tainting2() function), it can't re-open the main_log and just exits.

3 years agoSilence compiler
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 15:40:40 +0000 (17:40 +0200)]
Silence compiler

3 years agotidy log.c
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 07:19:21 +0000 (09:19 +0200)]
tidy log.c

(cherry picked from commit 0327b6460eec64da6b0c1543c7e9b3d0f8cb9294)

3 years agoSet mainlog_name and rejectlog_name unconditionally.
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 06:41:44 +0000 (08:41 +0200)]
Set mainlog_name and rejectlog_name unconditionally.

(cherry picked from commit 3f06b9b4c7244b169d50bce216c1f54b4dfe7efb)

3 years agotestsuite: add 0990 for allow_insecure_tainted_data
Heiko Schlittermann (HS12-RIPE) [Mon, 5 Apr 2021 14:06:24 +0000 (16:06 +0200)]
testsuite: add 0990 for allow_insecure_tainted_data

3 years agoupdate doc
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 07:29:13 +0000 (09:29 +0200)]
update doc

3 years agosmtp
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:02:27 +0000 (22:02 +0200)]
smtp

3 years agosmtp_out
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:42:38 +0000 (21:42 +0200)]
smtp_out

3 years agodeliver
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 08:54:22 +0000 (10:54 +0200)]
deliver

3 years agorf_get_transport
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 06:36:24 +0000 (08:36 +0200)]
rf_get_transport

3 years agolf_sqlperform
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:36:12 +0000 (21:36 +0200)]
lf_sqlperform

3 years agoexpand
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:33:50 +0000 (21:33 +0200)]
expand

3 years agodirectory
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:28:59 +0000 (21:28 +0200)]
directory

3 years agodeliver
Heiko Schlittermann (HS12-RIPE) [Wed, 31 Mar 2021 21:12:44 +0000 (23:12 +0200)]
deliver

3 years agopipe
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 15:30:27 +0000 (17:30 +0200)]
pipe

3 years agoautoreply
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 09:06:27 +0000 (11:06 +0200)]
autoreply

3 years agoappendfile
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 09:00:06 +0000 (11:00 +0200)]
appendfile

3 years agorda
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:59:46 +0000 (10:59 +0200)]
rda

3 years agoparse
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:58:46 +0000 (10:58 +0200)]
parse

3 years agoacl
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:50:14 +0000 (10:50 +0200)]
acl

3 years agodbstuff
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:49:49 +0000 (10:49 +0200)]
dbstuff

3 years agosearch
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:45:03 +0000 (22:45 +0200)]
search

3 years agoIntroduce main config option allow_insecure_tainted_data
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:44:31 +0000 (22:44 +0200)]
Introduce main config option allow_insecure_tainted_data

This option is deprecated already now.

3 years agoRe-ran the conversion of all DH parameters
Phil Pennock [Fri, 18 Sep 2020 14:25:42 +0000 (10:25 -0400)]
Re-ran the conversion of all DH parameters

I get different results now to those I got before.

Now, using gen_pkcs3 linked against OpenSSL 1.1.1f-1ubuntu2 on Focal Fossa, I
get the results below.  The ffdhe2048 value now matches that at
<https://ssl-config.mozilla.org/ffdhe2048.txt>.

I ran the same code yesterday for just the ffdhe2048 item and got code which
seemed to me then to match what was already in the C file.  Something hinky is
going on, perhaps with my sanity.

(the commit IDs changee because of heavy rebasing (heiko))

(cherry picked from commit 76ed8115182e2daaadb437ec9655df8000796ec5)