Forwarded from the exim-users mailing list ----- Forwarded message from Philip Hazel <ph10at_private> ----- From: Philip Hazel <ph10at_private> To: <exim-usersat_private>, <exim-announceat_private> Subject: [Exim] Potential security problem X-BeenThere: exim-usersat_private Date: Wed, 19 Dec 2001 14:35:41 +0000 (GMT) Important. Please read. Amongst other things, Exim 3.34 and Exim 3.952 (alpha for Exim 4), which I have just put onto the primary ftp site, contain a fix for a potential security problem. Please check whether this could affect you, and if so, either upgrade to the new release, or apply one of the patches below. The problem exists only in the case of a run time configuration which directs or routes an address to a pipe transport without checking the local part of the address in any way. This does not apply, for example, to pipes run from alias or forward files, because the local part is checked to ensure that it is the name of an alias or of a local user. One kind of configuration where this may apply is one where all incoming mail is sent straight to a virus checker by means of a pipe, without inspecting the local parts of addresses. However, if receiver_verify is turned on, and the director/router that is used for the pipe has no_verify set, there may not be an exposure, because the local parts are probably checked by the verification process even though they are not checked at delivery time before being sent to the pipe. The bug is provoked by routing/directing an address whose local part begins with a pipe symbol (vertical bar) to a pipe transport. That is why any configuration in which local parts are first checked in some way is not normally vulnerable (a local part starting with a pipe symbol is normally invalid). The Exim 4 default configuration blocks local parts that contain any of the characters @%!/| at SMTP time, as it happens. The bug's effect is that, instead of obeying the correct pipe command, a broken Exim runs the command encoded in the local part. If you do not want to upgrade to Exim 3.34, here are two patches for earlier versions. The fix is very simple. The bug was a bit of idiotic stupidity on my part. Apologies for the inconvenience. My thanks to Patrice Fournier for discovering and reporting this problem, and keeping on at me when at first I did not believe him. ---------------------------------------------------------------------------- This patch is for version 3.33. It should also work on all previous versions back to 3.20. *** exim-3.33/src/transports/pipe.c Wed Aug 15 12:09:13 2001 --- transports/pipe.c Thu Dec 13 10:25:21 2001 *************** *** 487,493 **** pointed to by addr->local_part; it starts with the pipe symbol. In other cases, the command is supplied as one of the pipe transport's options. */ ! if (addr->local_part[0] == '|') { cmd = addr->local_part + 1; while (isspace((uschar)*cmd)) cmd++; --- 487,493 ---- pointed to by addr->local_part; it starts with the pipe symbol. In other cases, the command is supplied as one of the pipe transport's options. */ ! if (testflag(addr,af_pfr) && addr->local_part[0] == '|') { cmd = addr->local_part + 1; while (isspace((uschar)*cmd)) cmd++; ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- This patch is for versions before 3.20. It should work at least as far back as release 3.12 (which was release on December 8, 1999). It may work on earlier releases - if not, it is such a simple patch that you should be able to figure out what to change by hand. *** src/transports/pipe.c Wed Aug 15 12:09:13 2001 --- transports/pipe.c Thu Dec 13 10:25:21 2001 *************** *** 487,493 **** pointed to by addr->local_part; it starts with the pipe symbol. In other cases, the command is supplied as one of the pipe transport's options. */ ! if (addr->local_part[0] == '|') { cmd = addr->local_part + 1; while (isspace((uschar)*cmd)) cmd++; --- 487,493 ---- pointed to by addr->local_part; it starts with the pipe symbol. In other cases, the command is supplied as one of the pipe transport's options. */ ! if (addr->pfr && addr->local_part[0] == '|') { cmd = addr->local_part + 1; while (isspace((uschar)*cmd)) cmd++; ---------------------------------------------------------------------------- -- Philip Hazel University of Cambridge Computing Service, ph10at_private Cambridge, England. Phone: +44 1223 334714. -- ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## ----- End forwarded message ----- -- -------------------------------------------------------------------- Tabor J. Wells twellsat_private Fsck It! Just another victim of the ambient morality
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 11:13:07 PST