Fix CVE-2019-10149

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 751b1d5344fc1ea5e8a2caa916156b0d5c1e636a..d9b8969057066ae39b7a3f5a801e620edc2178a1 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -85,6 +85,8 @@ JH/41 Fix the loop reading a message header line to check for integer overflow,
 JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option.  It had
       been totally disabled for all of 4.91.  Discovery and fix by "Mad Alex".
 
+JH/43 Fix CVE-2019-10149
+
 
 Exim version 4.91
 -----------------

diff --git a/doc/doc-txt/cve-2019-10149 b/doc/doc-txt/cve-2019-10149
new file mode 100644 (file)
index 0000000..4a9d3fb
--- /dev/null
+++ b/doc/doc-txt/cve-2019-10149
@@ -0,0 +1,36 @@
+CVE-2019-10149 Exim 4.87 to 4.91
+================================
+
+We received a report of a possible remote exploit.  Currently there is no
+evidence of an active use of this exploit.
+
+A patch exists already, is being tested, and backported to all
+versions we released since (and including) 4.87.
+
+The severity depends on your configuration.  It depends on how close to
+the standard configuration your Exim runtime configuration is. The
+closer the better.
+
+Exim 4.92 is not vulnerable.
+
+Next steps:
+
+* t0:    Distros will get access to our non-public security Git repo
+         (access is granted based on the SSH keys that are known to us)
+
+* t0+7d: Coordinated Release Date: Distros should push the patched
+         version to their repos. The Exim maintainers will publish
+         the fixed source to the official and public Git repo.
+
+t0    is expected to be 2019-06-04, 10:00 UTC
+t0+7d is expected to be 2019-06-11, 10:00 UTC
+
+
+Timeline
+--------
+
+* 2019-05-27 Report from Qualys to exim-security list
+* 2019-05-27 Patch provided by Jeremy Harris
+* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat
+* 2019-06-03 This announcement
+* 2019-06-04 10:00 UTC Grant access to the non-public security Git repo

diff --git a/src/src/deliver.c b/src/src/deliver.c
index 59256ac2cb91f9abf1a40bdb8a33500b8ef8acf6..45cc0723f9203a5bf55aecb06ad6736cc173f387 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -6227,17 +6227,23 @@ if (process_recipients != RECIP_IGNORE)
        {
        uschar * save_local =  deliver_localpart;
        const uschar * save_domain = deliver_domain;
+       uschar * addr = new->address, * errmsg = NULL;
+       int start, end, dom;
 
-       deliver_localpart = expand_string(
-                     string_sprintf("${local_part:%s}", new->address));
-       deliver_domain =    expand_string(
-                     string_sprintf("${domain:%s}", new->address));
+       if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
+         log_write(0, LOG_MAIN|LOG_PANIC,
+                "failed to parse address '%.100s': %s\n", addr, errmsg);
+       else
+         {
+         deliver_localpart =
+           string_copyn(addr+start, dom ? (dom-1) - start : end - start);
+         deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
 
-       (void) event_raise(event_action,
-                     US"msg:fail:internal", new->message);
+         event_raise(event_action, US"msg:fail:internal", new->message);
 
-       deliver_localpart = save_local;
-       deliver_domain =    save_domain;
+         deliver_localpart = save_local;
+         deliver_domain = save_domain;
+         }
        }
 #endif
       }