From 5dc522966ae58ac845dc280495af651c9858f152 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Thu, 29 Oct 2020 11:47:58 -0400 Subject: [PATCH] SECURITY: fix Qualys CVE-2020-SLCWD (cherry picked from commit bf5f9d56fadf9be8d947f141d31f7e0e8fa63762) (cherry picked from commit 6d2cfb575c95c1b81597d6b9eb2904cd695d7e4a) --- doc/doc-txt/ChangeLog | 8 ++++---- src/src/exim.c | 6 ++++++ src/src/macros.h | 14 +++++++++----- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 4c6eb810e..ba9cc1c12 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -263,12 +263,12 @@ PP/02 Bug 2643: Correct TLS DH constants. incorrect Diffie-Hellman constants in the Exim source. Reported by kylon94, code-gen tool fix by Simon Arlott. -PP/03 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX - better. Reported by Qualys. - -PP/04 Impose security length checks on various command-line options. +PP/03 Impose security length checks on various command-line options. Fixes CVE-2020-SPRSS reported by Qualys. +PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX + better. Reported by Qualys. + Exim version 4.94 ----------------- diff --git a/src/src/exim.c b/src/src/exim.c index 49f7e5f36..1b7529c73 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -3870,7 +3870,13 @@ during readconf_main() some expansion takes place already. */ /* Store the initial cwd before we change directories. Can be NULL if the dir has already been unlinked. */ +errno = 0; initial_cwd = os_getcwd(NULL, 0); +if (!initial_cwd && errno) + exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno)); + +if (initial_cwd && (strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE)) + exim_fail("exim: initial cwd is far too long (%d)\n", Ustrlen(CCS initial_cwd)); /* checking: -be[m] expansion test - diff --git a/src/src/macros.h b/src/src/macros.h index 72856a53b..f8987d604 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -154,7 +154,9 @@ enough to hold all the headers from a normal kind of message. */ /* The initial size of a big buffer for use in various places. It gets put into big_buffer_size and in some circumstances increased. It should be at least -as long as the maximum path length. */ +as long as the maximum path length PLUS room for string additions. +Let's go with "at least twice as large as maximum path length". +*/ #ifdef AUTH_HEIMDAL_GSSAPI /* RFC 4121 section 5.2, SHOULD support 64K input buffers */ @@ -163,10 +165,12 @@ as long as the maximum path length. */ # define __BIG_BUFFER_SIZE 16384 #endif -#if defined PATH_MAX && PATH_MAX > __BIG_BUFFER_SIZE -# define BIG_BUFFER_SIZE PATH_MAX -#elif defined MAXPATHLEN && MAXPATHLEN > __BIG_BUFFER_SIZE -# define BIG_BUFFER_SIZE MAXPATHLEN +#ifndef PATH_MAX +/* exim.h will have ensured this exists before including us. */ +# error headers confusion, PATH_MAX missing in macros.h +#endif +#if (PATH_MAX*2) > __BIG_BUFFER_SIZE +# define BIG_BUFFER_SIZE (PATH_MAX*2) #else # define BIG_BUFFER_SIZE __BIG_BUFFER_SIZE #endif -- 2.30.2