From 0806a9c5bfe809d616ae63fa68e959a2fac2a864 Mon Sep 17 00:00:00 2001 From: Magnus Holmgren Date: Mon, 14 May 2007 18:56:25 +0000 Subject: [PATCH] The "spam" ACL condition code contained a sscanf() call with a %s conversion specification without a maximum field width, thereby enabling a rogue spamd server to cause a buffer overflow. While nobody in their right mind would setup Exim to query an untrusted spamd server, an attacker that gains access to a server running spamd could potentially exploit this vulnerability to run arbitrary code as the Exim user. --- doc/doc-txt/ChangeLog | 9 ++++++++- src/src/spam.c | 6 +++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 157433630..427270499 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.507 2007/05/11 08:50:42 tom Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.508 2007/05/14 18:56:25 magnus Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -28,6 +28,13 @@ PH/02 When an IPv6 address is converted to a string for single-key lookup TK/01 Change PRVS address formatting scheme to reflect latests BATV draft version. +MH/01 The "spam" ACL condition code contained a sscanf() call with a %s + conversion specification without a maximum field width, thereby enabling + a rogue spamd server to cause a buffer overflow. While nobody in their + right mind would setup Exim to query an untrusted spamd server, an + attacker that gains access to a server running spamd could potentially + exploit this vulnerability to run arbitrary code as the Exim user. + Exim version 4.67 ----------------- diff --git a/src/src/spam.c b/src/src/spam.c index 700200605..99c6d0c5a 100644 --- a/src/src/spam.c +++ b/src/src/spam.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/spam.c,v 1.13 2006/09/05 14:05:43 ph10 Exp $ */ +/* $Cambridge: exim/src/src/spam.c,v 1.14 2007/05/14 18:56:25 magnus Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -316,11 +316,11 @@ again: (void)close(spamd_sock); /* dig in the spamd output and put the report in a multiline header, if requested */ - if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n", + if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n", spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) { /* try to fall back to pre-2.50 spamd output */ - if( sscanf(CS spamd_buffer,"SPAMD/%s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n", + if( sscanf(CS spamd_buffer,"SPAMD/%7s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n", spamd_version,&spamd_score,&spamd_threshold,&spamd_report_offset) != 3 ) { log_write(0, LOG_MAIN|LOG_PANIC, "spam acl condition: cannot parse spamd output"); -- 2.30.2