CVE-2018-6789
=============
-There is a buffer overflow in an utility function, if some pre-conditions
-are met. Using a handcrafted message, remote code execution seems to be
-possible.
+There is a buffer overflow in base64d(), if some pre-conditions are met.
+Using a handcrafted message, remote code execution seems to be possible.
A patch exists already and is being tested.
Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.
-Next steps:
-
-* t0: Distros will get access to our non-public security git repo
- (based on the SSH keys known to us)
-
- ssh://git@exim.org/exim.git tag: exim-4_90_1
- ssh://git@exim.org/exim-packages.git tag: exim-4_90_1
-
-* t0 +7d: Patch will be published on the official public git repo
-
-
Timeline (UTC)
---------
+--------------
* 2018-02-05 Report from Meh Chang <meh@devco.re> via exim-security mailing list
* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
mailing lists and on oss-security mailing list
* 2018-02-08 16:50 Grant restricted access to the security repo for
distro maintainers
-
-scheduled:
-* 2018-02-15 16:50 Grant public access to the our official git repo.
+* 2018-02-09 One distro breaks the embargo
+* 2018-02-10 18:00 Grant public access to the our official git repo.