From d740d2111f189760593a303124ff6b9b1f83453d Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 27 May 2019 21:57:31 +0100
Subject: [PATCH] Fix CVE-2019-10149

---
 doc/doc-txt/ChangeLog      |  2 ++
 doc/doc-txt/cve-2019-10149 | 36 ++++++++++++++++++++++++++++++++++++
 src/src/deliver.c          | 22 ++++++++++++++--------
 3 files changed, 52 insertions(+), 8 deletions(-)
 create mode 100644 doc/doc-txt/cve-2019-10149

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 751b1d534..d9b896905 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -85,6 +85,8 @@ JH/41 Fix the loop reading a message header line to check for integer overflow,
 JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option.  It had
       been totally disabled for all of 4.91.  Discovery and fix by "Mad Alex".
 
+JH/43 Fix CVE-2019-10149
+
 
 Exim version 4.91
 -----------------
diff --git a/doc/doc-txt/cve-2019-10149 b/doc/doc-txt/cve-2019-10149
new file mode 100644
index 000000000..4a9d3fb68
--- /dev/null
+++ b/doc/doc-txt/cve-2019-10149
@@ -0,0 +1,36 @@
+CVE-2019-10149 Exim 4.87 to 4.91
+================================
+
+We received a report of a possible remote exploit.  Currently there is no
+evidence of an active use of this exploit.
+
+A patch exists already, is being tested, and backported to all
+versions we released since (and including) 4.87.
+
+The severity depends on your configuration.  It depends on how close to
+the standard configuration your Exim runtime configuration is. The
+closer the better.
+
+Exim 4.92 is not vulnerable.
+
+Next steps:
+
+* t0:    Distros will get access to our non-public security Git repo
+         (access is granted based on the SSH keys that are known to us)
+
+* t0+7d: Coordinated Release Date: Distros should push the patched
+         version to their repos. The Exim maintainers will publish
+         the fixed source to the official and public Git repo.
+
+t0    is expected to be 2019-06-04, 10:00 UTC
+t0+7d is expected to be 2019-06-11, 10:00 UTC
+
+
+Timeline
+--------
+
+* 2019-05-27 Report from Qualys to exim-security list
+* 2019-05-27 Patch provided by Jeremy Harris
+* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat
+* 2019-06-03 This announcement
+* 2019-06-04 10:00 UTC Grant access to the non-public security Git repo
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 59256ac2c..45cc0723f 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -6227,17 +6227,23 @@ if (process_recipients != RECIP_IGNORE)
 	{
 	uschar * save_local =  deliver_localpart;
 	const uschar * save_domain = deliver_domain;
+	uschar * addr = new->address, * errmsg = NULL;
+	int start, end, dom;
 
-	deliver_localpart = expand_string(
-		      string_sprintf("${local_part:%s}", new->address));
-	deliver_domain =    expand_string(
-		      string_sprintf("${domain:%s}", new->address));
+	if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
+	  log_write(0, LOG_MAIN|LOG_PANIC,
+                "failed to parse address '%.100s': %s\n", addr, errmsg);
+	else
+	  {
+	  deliver_localpart =
+	    string_copyn(addr+start, dom ? (dom-1) - start : end - start);
+	  deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
 
-	(void) event_raise(event_action,
-		      US"msg:fail:internal", new->message);
+	  event_raise(event_action, US"msg:fail:internal", new->message);
 
-	deliver_localpart = save_local;
-	deliver_domain =    save_domain;
+	  deliver_localpart = save_local;
+	  deliver_domain = save_domain;
+	  }
 	}
 #endif
       }
-- 
2.30.2