From: Jeremy Harris Date: Mon, 27 May 2019 20:57:31 +0000 (+0100) Subject: Fix CVE-2019-10149 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/d740d2111f189760593a303124ff6b9b1f83453d Fix CVE-2019-10149 --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 751b1d534..d9b896905 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -85,6 +85,8 @@ JH/41 Fix the loop reading a message header line to check for integer overflow, JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option. It had been totally disabled for all of 4.91. Discovery and fix by "Mad Alex". +JH/43 Fix CVE-2019-10149 + Exim version 4.91 ----------------- diff --git a/doc/doc-txt/cve-2019-10149 b/doc/doc-txt/cve-2019-10149 new file mode 100644 index 000000000..4a9d3fb68 --- /dev/null +++ b/doc/doc-txt/cve-2019-10149 @@ -0,0 +1,36 @@ +CVE-2019-10149 Exim 4.87 to 4.91 +================================ + +We received a report of a possible remote exploit. Currently there is no +evidence of an active use of this exploit. + +A patch exists already, is being tested, and backported to all +versions we released since (and including) 4.87. + +The severity depends on your configuration. It depends on how close to +the standard configuration your Exim runtime configuration is. The +closer the better. + +Exim 4.92 is not vulnerable. + +Next steps: + +* t0: Distros will get access to our non-public security Git repo + (access is granted based on the SSH keys that are known to us) + +* t0+7d: Coordinated Release Date: Distros should push the patched + version to their repos. The Exim maintainers will publish + the fixed source to the official and public Git repo. + +t0 is expected to be 2019-06-04, 10:00 UTC +t0+7d is expected to be 2019-06-11, 10:00 UTC + + +Timeline +-------- + +* 2019-05-27 Report from Qualys to exim-security list +* 2019-05-27 Patch provided by Jeremy Harris +* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat +* 2019-06-03 This announcement +* 2019-06-04 10:00 UTC Grant access to the non-public security Git repo diff --git a/src/src/deliver.c b/src/src/deliver.c index 59256ac2c..45cc0723f 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -6227,17 +6227,23 @@ if (process_recipients != RECIP_IGNORE) { uschar * save_local = deliver_localpart; const uschar * save_domain = deliver_domain; + uschar * addr = new->address, * errmsg = NULL; + int start, end, dom; - deliver_localpart = expand_string( - string_sprintf("${local_part:%s}", new->address)); - deliver_domain = expand_string( - string_sprintf("${domain:%s}", new->address)); + if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE)) + log_write(0, LOG_MAIN|LOG_PANIC, + "failed to parse address '%.100s': %s\n", addr, errmsg); + else + { + deliver_localpart = + string_copyn(addr+start, dom ? (dom-1) - start : end - start); + deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS""; - (void) event_raise(event_action, - US"msg:fail:internal", new->message); + event_raise(event_action, US"msg:fail:internal", new->message); - deliver_localpart = save_local; - deliver_domain = save_domain; + deliver_localpart = save_local; + deliver_domain = save_domain; + } } #endif }