aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--community/exim/APKBUILD14
-rw-r--r--community/exim/CVE-2020-12783-1.patch81
-rw-r--r--community/exim/CVE-2020-12783-2.patch59
3 files changed, 151 insertions, 3 deletions
diff --git a/community/exim/APKBUILD b/community/exim/APKBUILD
index 4fb25baa93..78196a09f2 100644
--- a/community/exim/APKBUILD
+++ b/community/exim/APKBUILD
@@ -6,7 +6,7 @@
# Maintainer: Jesse Young <jlyo@jlyo.org>
pkgname=exim
pkgver=4.93
-pkgrel=0
+pkgrel=1
pkgdesc="Message Transfer Agent"
url="https://www.exim.org/"
arch="all"
@@ -29,9 +29,15 @@ source="https://ftp.exim.org/pub/exim/exim4/$pkgname-$pkgver.tar.xz
exim.confd
exim.initd
exim.logrotate
- exim.gencert"
+ exim.gencert
+
+ CVE-2020-12783-1.patch
+ CVE-2020-12783-2.patch
+ "
# secfixes:
+# 4.93-r1:
+# - CVE-2020-12783
# 4.92.2-r1:
# - CVE-2019-16928
# 4.92.2-r0:
@@ -129,4 +135,6 @@ fc738995baf4376ca0a73a9a957046b254548071181b25156b549a814aea173206915615569bffac
bb6f5ead067af19ace661cc92bcd428da97570aedd1f9dc5b61a34e7e3fb3e028be6c96d51df73353bdfcaf69a3ee053fb03d245f868d63ebf518aa96ec82d66 exim.confd
3769e74a54566362bcdf57c45fbf7d130d7a7529fbc40befce431eef0387df117c71a5b57779c507e30d5b125913b5f26c9d16b17995521a1d94997be6dc3e02 exim.initd
28e748693a6a72d9943fa9c342ff041fe650fa6977f468dee127e845e6c2a91872ce33fb6f5698838906bde3ed92de7a91cdb0349cedc40b806261867e8c06cb exim.logrotate
-abdaf749ed3947a75b997caa300bf9f27ef82760f1854aa4521a9ac0f322f1655b65a375bc7a709259daea88bf93cfab5289997fa8e376fac9a3477f09bab642 exim.gencert"
+abdaf749ed3947a75b997caa300bf9f27ef82760f1854aa4521a9ac0f322f1655b65a375bc7a709259daea88bf93cfab5289997fa8e376fac9a3477f09bab642 exim.gencert
+f2c252a5d3536e384e276e4253d70f4b6c644e4de684df0a03dc7967d66bb517d50eeb8a1387ef5055c6ee8fdd9eb599ed553ffe77472f273848c15cde9937fa CVE-2020-12783-1.patch
+303a888b2ce2097e5f031fc6e6fff410c1246634bee7b8b5749ad99e90f255549faecd56dc2327b24e8fca1a360c10f8a7cdb6a0e39631b273f8f3b786e1e921 CVE-2020-12783-2.patch"
diff --git a/community/exim/CVE-2020-12783-1.patch b/community/exim/CVE-2020-12783-1.patch
new file mode 100644
index 0000000000..d292b14034
--- /dev/null
+++ b/community/exim/CVE-2020-12783-1.patch
@@ -0,0 +1,81 @@
+From 6a7edbf6608d10ef0c707c426511e667849518d7 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Tue, 5 May 2020 21:15:34 +0100
+Subject: [PATCH 44/46] Fix SPA authenticator, checking client-supplied data
+ before using it. Bug 2571
+
+(cherry picked from commit 57aa14b216432be381b6295c312065b2fd034f86)
+---
+ doc/ChangeLog | 5 +++++
+ src/auths/spa.c | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/doc/ChangeLog b/doc/ChangeLog
+index b651b94e7..9c62f8dda 100644
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -107,6 +107,11 @@ JH/40 Fix a memory-handling bug: when a connection carried multiple messages
+ stale data could be accessed. Ensure that variable references are
+ dropped between messages.
+
++JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied
++ by the client was not checked as pointing within response data before
++ being used. A malicious client could thus cause an out-of-bounds read and
++ possibly gain authentication. Fix by adding the check.
++
+
+ Exim version 4.93
+ -----------------
+diff --git a/src/auths/spa.c b/src/auths/spa.c
+index 97e3b102c..ed9aff23b 100644
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -139,7 +139,7 @@ SPAAuthChallenge challenge;
+ SPAAuthResponse response;
+ SPAAuthResponse *responseptr = &response;
+ uschar msgbuf[2048];
+-uschar *clearpass;
++uschar *clearpass, *s;
+
+ /* send a 334, MS Exchange style, and grab the client's request,
+ unless we already have it via an initial response. */
+@@ -197,6 +197,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
+ char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
+ int len = SVAL(&responseptr->uUser.len,0)/2;
+
++ if (p + len*2 >= CS (responseptr+1))
++ {
++ DEBUG(D_auth)
++ debug_printf("auth_spa_server(): bad uUser spec in response\n");
++ return FAIL;
++ }
++
+ if (len + 1 >= sizeof(msgbuf)) return FAIL;
+ for (i = 0; i < len; ++i)
+ {
+@@ -245,14 +252,17 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
+
+ /* compare NT hash (LM may not be available) */
+
+-if (memcmp(ntRespData,
+- ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
+- 24) == 0)
+- /* success. we have a winner. */
++s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
++if (s + 24 >= US (responseptr+1))
+ {
+- return auth_check_serv_cond(ablock);
++ DEBUG(D_auth)
++ debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
++ return FAIL;
+ }
+
++if (memcmp(ntRespData, s, 24) == 0)
++ return auth_check_serv_cond(ablock); /* success. we have a winner. */
++
+ /* Expand server_condition as an authorization check (PH) */
+
+ return FAIL;
+--
+2.26.2
+
diff --git a/community/exim/CVE-2020-12783-2.patch b/community/exim/CVE-2020-12783-2.patch
new file mode 100644
index 0000000000..7f1e825d95
--- /dev/null
+++ b/community/exim/CVE-2020-12783-2.patch
@@ -0,0 +1,59 @@
+From 5a41d2c2cd2b28a0d1aea21edeaea02bd6db4984 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Wed, 6 May 2020 22:31:25 +0100
+Subject: [PATCH 45/46] Rework SPA fix to avoid overflows. Bug 2571
+
+Amends: 6a7edbf660
+(cherry picked from commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0)
+---
+ src/auths/spa.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/auths/spa.c b/src/auths/spa.c
+index ed9aff23b..4e3aef808 100644
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -140,6 +140,7 @@ SPAAuthResponse response;
+ SPAAuthResponse *responseptr = &response;
+ uschar msgbuf[2048];
+ uschar *clearpass, *s;
++unsigned off;
+
+ /* send a 334, MS Exchange style, and grab the client's request,
+ unless we already have it via an initial response. */
+@@ -194,10 +195,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
+
+ {
+ int i;
+- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
++ char * p;
+ int len = SVAL(&responseptr->uUser.len,0)/2;
+
+- if (p + len*2 >= CS (responseptr+1))
++ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
++ || len >= sizeof(responseptr->buffer)/2
++ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
++ )
+ {
+ DEBUG(D_auth)
+ debug_printf("auth_spa_server(): bad uUser spec in response\n");
+@@ -252,13 +256,14 @@ spa_smb_nt_encrypt (clearpass, challenge.challengeData, ntRespData);
+
+ /* compare NT hash (LM may not be available) */
+
+-s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
+-if (s + 24 >= US (responseptr+1))
++off = IVAL(&responseptr->ntResponse.offset,0);
++if (off >= sizeof(SPAAuthResponse) - 24)
+ {
+ DEBUG(D_auth)
+ debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
+ return FAIL;
+ }
++s = (US responseptr) + off;
+
+ if (memcmp(ntRespData, s, 24) == 0)
+ return auth_check_serv_cond(ablock); /* success. we have a winner. */
+--
+2.26.2
+