X-Git-Url: https://git.exim.org/exim-website.git/blobdiff_plain/a2de87c485edb179c59783c693781c93819a1a5d..34fcdc20a1610c9c171db62fcd694613e4cd09c0:/templates/static/doc/security/CVE-2020-qualys/patches3.txt?ds=sidebyside diff --git a/templates/static/doc/security/CVE-2020-qualys/patches3.txt b/templates/static/doc/security/CVE-2020-qualys/patches3.txt new file mode 100644 index 0000000..dab93f7 --- /dev/null +++ b/templates/static/doc/security/CVE-2020-qualys/patches3.txt @@ -0,0 +1,69 @@ +Hi all, + +We noticed the branch "hs/qualys-2020" and reviewed the patches. We just +have three comments and one question: + +======================================================================== +commit 4f0ac4ad70d38a13fb3f248c3ae2b66b0e1fe7d3 + + Safeguard against relative names for msglog files. + +Is there a reason for the extra "&& (p == filename || *(p-1) == '/')"? + +Because of this extra condition, our exploit against CVE-2019-15846 for +example would work despite this patch: we overwrite the message id (the +argument for deliver_message()) with "/../../../../../../../etc/passwd" +but depending on the alignment of our memory corruption, the beginning +of id can be "./../../" (for example) and: + +- (p = Ustrstr(filename, US"/../")) is true; + +- (p == filename) is false, because filename always starts with + spool_directory, an absolute path; + +- (*(p-1) == '/') is false, because the character before the first + "/../" is '.'; + +as a result, log_write(LOG_PANIC_DIE) is not called and we can modify +/etc/passwd. + +======================================================================== +commit e5cb5e615a63a4c97d3e2e88903eaaadfb254bcb + + Check overrun rcpt_count integer + + if (rcpt_count+1 < 0 + +Actually, such a signed integer overflow is undefined behavior in C and +an optimizing compiler may therefore remove this check completely (some +do). The check should be made against INT_MAX (before the int overflow) +and should be made earlier, when rcpt_count is incremented (at the very +beginning of the case RCPT_CMD): otherwise, rcpt_count can be increased +without going through the recipients_max check (e.g., via the breaks in +"if (sender_address == NULL)" and "if (!recipient_domain)"). + +======================================================================== +commit 54895bc3ffdf5ecebcbafb2e6041fa52d6f5e5fb + + smtp_out: Leave a clean input buffer, even in case of read error + ++ inblock->ptr = ptr; + return -1; + +There is another return -1 in this function, should it also get fixed? +Or maybe a common error codepath should be added instead? + +======================================================================== + +We saw 20-patches2.txt.gpg in cve-2020-qualys/ and just in case: did you +also receive/read patches1.txt? + +======================================================================== + +Thank you very much for all your work on Exim! We are at your disposal +for questions, comments, and further discussions. + +With best regards, + +-- +the Qualys Security Advisory team