git://git.exim.org / users / heiko / exim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7685ce6)
Documentation/Tests for CVE-2014-2972 fix exim-4_83
authorTodd Lyons <tlyons@exim.org>
Fri, 18 Jul 2014 18:42:08 +0000 (11:42 -0700)
committerTodd Lyons <tlyons@exim.org>
Mon, 21 Jul 2014 14:28:07 +0000 (07:28 -0700)
doc/doc-txt/ChangeLog patch | blob | history
test/aux-fixed/0002.lsearch patch | blob | history
test/scripts/0000-Basic/0002 patch | blob | history
test/stdout/0002 patch | blob | history

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 770b106a54edbafdc1fcd3a4bf42db2a2d1c7460..61086c7e254ae90872eb640b6b8e21c4938b0b3b 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -150,6 +150,10 @@ PP/02 Fix internal collision of T_APL on systems which support RFC3123
 
 JH/28 Fix parsing of MIME headers for parameters with quoted semicolons.
 
 
 JH/28 Fix parsing of MIME headers for parameters with quoted semicolons.
 
+TL/15 SECURITY: prevent double expansion in math comparison functions
+      (can expand unsanitized data). Not remotely exploitable.
+      CVE-2014-2972
+
 
 Exim version 4.82
 -----------------
 
 Exim version 4.82
 -----------------
diff --git a/test/aux-fixed/0002.lsearch b/test/aux-fixed/0002.lsearch
index dcf198b70a058b4aea1bc4a2ec1760398709ff94..5cd6b1aa08761f7a8f8f2e0dd4d0bb5ce70fff41 100644 (file)
--- a/test/aux-fixed/0002.lsearch
+++ b/test/aux-fixed/0002.lsearch
@@ -1,2 +1,3 @@
 ten-1.test.ex
 10.0.0.2
 ten-1.test.ex
 10.0.0.2
+trick: ${substr_2_2:65535}
diff --git a/test/scripts/0000-Basic/0002 b/test/scripts/0000-Basic/0002
index 7b6c34b3eca5c34dfdc0be0a9aa957b29b1bc89b..51dc6ae48661185680e54f259f073a5699bca74d 100644 (file)
--- a/test/scripts/0000-Basic/0002
+++ b/test/scripts/0000-Basic/0002
@@ -331,6 +331,7 @@ mask:   ${if eq {1}{2}{${mask:invalid}}{NO}}
 5>3m:   ${if >{5 } {3m }{y}{n}}
 5>3z:   ${if >{5 } {3z }{y}{n}}
 5>a:    ${if >{ 5 } {a}{y}{n}}
 5>3m:   ${if >{5 } {3m }{y}{n}}
 5>3z:   ${if >{5 } {3z }{y}{n}}
 5>a:    ${if >{ 5 } {a}{y}{n}}
+5>bad:  ${if >{5 } {${lookup{trick}lsearch{DIR/aux-fixed/0002.lsearch}}} {y}{n}}
 
 >0:     ${if > {}{0}{y}{n}}
 =:      ${if = {}{}{y}{n}}
 
 >0:     ${if > {}{0}{y}{n}}
 =:      ${if = {}{}{y}{n}}
diff --git a/test/stdout/0002 b/test/stdout/0002
index 64e5719444cb4875886330e02d0458f691c8c6b1..7200bf3a78211242dec6167423f42de127cf4aeb 100644 (file)
--- a/test/stdout/0002
+++ b/test/stdout/0002
@@ -304,6 +304,7 @@
 > 5>3m:   n
 > Failed: invalid integer "3z "
 > Failed: integer expected but "a" found
 > 5>3m:   n
 > Failed: invalid integer "3z "
 > Failed: integer expected but "a" found
+> Failed: integer expected but "${substr_2_2:65535}" found
 > 
 > >0:     n
 > =:      y
 > 
 > >0:     n
 > =:      y
Unnamed repository; edit this file 'description' to name the repository.