community/exim: security fix (CVE-2020-12783)

ref #11556

3 files changed, 151 insertions, 3 deletions

diff --git a/community/exim/APKBUILD b/community/exim/APKBUILD
index 4fb25baa936..78196a09f2b 100644
--- a/community/exim/APKBUILD
+++ b/community/exim/APKBUILD
@@ -6,7 +6,7 @@
 # Maintainer: Jesse Young <jlyo@jlyo.org>
 pkgname=exim
 pkgver=4.93
-pkgrel=0
+pkgrel=1
 pkgdesc="Message Transfer Agent"
 url="https://www.exim.org/"
 arch="all"
@@ -29,9 +29,15 @@ source="https://ftp.exim.org/pub/exim/exim4/$pkgname-$pkgver.tar.xz
 	exim.confd
 	exim.initd
 	exim.logrotate
-	exim.gencert"
+	exim.gencert
+
+	CVE-2020-12783-1.patch
+	CVE-2020-12783-2.patch
+	"
 
 # secfixes:
+#   4.93-r1:
+#     - CVE-2020-12783
 #   4.92.2-r1:
 #     - CVE-2019-16928
 #   4.92.2-r0:
@@ -129,4 +135,6 @@ fc738995baf4376ca0a73a9a957046b254548071181b25156b549a814aea173206915615569bffac
 bb6f5ead067af19ace661cc92bcd428da97570aedd1f9dc5b61a34e7e3fb3e028be6c96d51df73353bdfcaf69a3ee053fb03d245f868d63ebf518aa96ec82d66  exim.confd
 3769e74a54566362bcdf57c45fbf7d130d7a7529fbc40befce431eef0387df117c71a5b57779c507e30d5b125913b5f26c9d16b17995521a1d94997be6dc3e02  exim.initd
 28e748693a6a72d9943fa9c342ff041fe650fa6977f468dee127e845e6c2a91872ce33fb6f5698838906bde3ed92de7a91cdb0349cedc40b806261867e8c06cb  exim.logrotate
-abdaf749ed3947a75b997caa300bf9f27ef82760f1854aa4521a9ac0f322f1655b65a375bc7a709259daea88bf93cfab5289997fa8e376fac9a3477f09bab642  exim.gencert"
+abdaf749ed3947a75b997caa300bf9f27ef82760f1854aa4521a9ac0f322f1655b65a375bc7a709259daea88bf93cfab5289997fa8e376fac9a3477f09bab642  exim.gencert
+f2c252a5d3536e384e276e4253d70f4b6c644e4de684df0a03dc7967d66bb517d50eeb8a1387ef5055c6ee8fdd9eb599ed553ffe77472f273848c15cde9937fa  CVE-2020-12783-1.patch
+303a888b2ce2097e5f031fc6e6fff410c1246634bee7b8b5749ad99e90f255549faecd56dc2327b24e8fca1a360c10f8a7cdb6a0e39631b273f8f3b786e1e921  CVE-2020-12783-2.patch"
diff --git a/community/exim/CVE-2020-12783-1.patch b/community/exim/CVE-2020-12783-1.patch
new file mode 100644
index 00000000000..d292b140343
--- /dev/null
+++ b/community/exim/CVE-2020-12783-1.patch
@@ -0,0 +1,81 @@
+From 6a7edbf6608d10ef0c707c426511e667849518d7 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Tue, 5 May 2020 21:15:34 +0100
+Subject: [PATCH 44/46] Fix SPA authenticator, checking client-supplied data
+ before using it.  Bug 2571
+
+(cherry picked from commit 57aa14b216432be381b6295c312065b2fd034f86)
+---
+ doc/ChangeLog |  5 +++++
+ src/auths/spa.c   | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/doc/ChangeLog b/doc/ChangeLog
+index b651b94e7..9c62f8dda 100644
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -107,6 +107,11 @@ JH/40 Fix a memory-handling bug: when a connection carried multiple messages
+       stale data could be accessed.  Ensure that variable references are
+       dropped between messages.
+ 
++JH/41 Bug 2571: Fix SPA authenticator.  Running as a server, an offset supplied
++      by the client was not checked as pointing within response data before
++      being used.  A malicious client could thus cause an out-of-bounds read and
++      possibly gain authentication.  Fix by adding the check.
++
+ 
+ Exim version 4.93
+ -----------------
+diff --git a/src/auths/spa.c b/src/auths/spa.c
+index 97e3b102c..ed9aff23b 100644
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -139,7 +139,7 @@ SPAAuthChallenge challenge;
+ SPAAuthResponse  response;
+ SPAAuthResponse  *responseptr = &response;
+ uschar msgbuf[2048];
+-uschar *clearpass;
++uschar *clearpass, *s;
+ 
+ /* send a 334, MS Exchange style, and grab the client's request,
+ unless we already have it via an initial response. */
+@@ -197,6 +197,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
+   char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
+   int len = SVAL(&responseptr->uUser.len,0)/2;
+ 
++  if (p + len*2 >= CS (responseptr+1))
++    {
++    DEBUG(D_auth)
++      debug_printf("auth_spa_server(): bad uUser spec in response\n");
++    return FAIL;
++    }
++
+   if (len + 1 >= sizeof(msgbuf)) return FAIL;
+   for (i = 0; i < len; ++i)
+     {
+@@ -245,14 +252,17 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
+ 
+ /* compare NT hash (LM may not be available) */
+ 
+-if (memcmp(ntRespData,
+-      ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
+-      24) == 0)
+-  /* success. we have a winner. */
++s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
++if (s + 24 >= US (responseptr+1))
+   {
+-  return auth_check_serv_cond(ablock);
++  DEBUG(D_auth)
++    debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
++  return FAIL;
+   }
+ 
++if (memcmp(ntRespData, s, 24) == 0)
++  return auth_check_serv_cond(ablock);	/* success. we have a winner. */
++
+   /* Expand server_condition as an authorization check (PH) */
+ 
+ return FAIL;
+-- 
+2.26.2
+
diff --git a/community/exim/CVE-2020-12783-2.patch b/community/exim/CVE-2020-12783-2.patch
new file mode 100644
index 00000000000..7f1e825d95c
--- /dev/null
+++ b/community/exim/CVE-2020-12783-2.patch
@@ -0,0 +1,59 @@
+From 5a41d2c2cd2b28a0d1aea21edeaea02bd6db4984 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Wed, 6 May 2020 22:31:25 +0100
+Subject: [PATCH 45/46] Rework SPA fix to avoid overflows.  Bug 2571
+
+Amends: 6a7edbf660
+(cherry picked from commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0)
+---
+ src/auths/spa.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/auths/spa.c b/src/auths/spa.c
+index ed9aff23b..4e3aef808 100644
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -140,6 +140,7 @@ SPAAuthResponse  response;
+ SPAAuthResponse  *responseptr = &response;
+ uschar msgbuf[2048];
+ uschar *clearpass, *s;
++unsigned off;
+ 
+ /* send a 334, MS Exchange style, and grab the client's request,
+ unless we already have it via an initial response. */
+@@ -194,10 +195,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
+ 
+   {
+   int i;
+-  char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
++  char * p;
+   int len = SVAL(&responseptr->uUser.len,0)/2;
+ 
+-  if (p + len*2 >= CS (responseptr+1))
++  if (  (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
++     || len >= sizeof(responseptr->buffer)/2
++     || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
++     )
+     {
+     DEBUG(D_auth)
+       debug_printf("auth_spa_server(): bad uUser spec in response\n");
+@@ -252,13 +256,14 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
+ 
+ /* compare NT hash (LM may not be available) */
+ 
+-s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
+-if (s + 24 >= US (responseptr+1))
++off = IVAL(&responseptr->ntResponse.offset,0);
++if (off >= sizeof(SPAAuthResponse) - 24)
+   {
+   DEBUG(D_auth)
+     debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
+   return FAIL;
+   }
++s = (US responseptr) + off;
+ 
+ if (memcmp(ntRespData, s, 24) == 0)
+   return auth_check_serv_cond(ablock);	/* success. we have a winner. */
+-- 
+2.26.2
+