Comment 1 Sam James 2020-05-11 15:07:11 UTC

Description:
"Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c."

Patches:
https://git.exim.org/exim.git/commit/57aa14b216432be381b6295c312065b2fd034f86
https://git.exim.org/exim.git/commit/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0

Comment 2 Sam James 2020-05-12 15:16:42 UTC

Please apply the provided patches, or do you prefer to wait for a release?

Comment 3 Fabian Groffen 2020-05-12 17:35:42 UTC

upstream seems to be discussing what to do here, but I guess we can also pull the patches.  There was a dispute at first, so I was waiting for a concensus there.

Comment 4 Sam James 2020-05-12 17:37:55 UTC

(In reply to Fabian Groffen from comment #3)
> upstream seems to be discussing what to do here, but I guess we can also
> pull the patches.  There was a dispute at first, so I was waiting for a
> concensus there.

Sure, if you prefer to wait, that is fine. I see what you mean about the dispute re the first patch.

Comment 5 Larry the Git Cow 2020-05-13 07:45:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1468afd12e683a61448e2ff58c47e54715f0ff29

commit 1468afd12e683a61448e2ff58c47e54715f0ff29
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-05-13 07:44:37 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-05-13 07:45:13 +0000

    mail-mta/exim-4.93.0.4-r1: revbump for CVE-2020-12783
    
    Bug: https://bugs.gentoo.org/722484
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 ...xim-4.93.0.4.ebuild => exim-4.93.0.4-r1.ebuild} |  1 +
 mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch | 83 ++++++++++++++++++++++
 2 files changed, 84 insertions(+)

Comment 6 Sam James 2020-05-13 08:13:09 UTC

Thanks! Let us know when you are ready for stabilisation.

Comment 7 Fabian Groffen 2020-05-13 08:14:47 UTC

I have no way to test SPA auth, so since I've been running 4.93.0.4 for a while now, from my point of view we're good to go.

Comment 8 Sam James 2020-05-13 08:26:50 UTC

(In reply to Fabian Groffen from comment #7)
> I have no way to test SPA auth, so since I've been running 4.93.0.4 for a
> while now, from my point of view we're good to go.

Cool. Let's do it.

Comment 9 Agostino Sarubbo 2020-05-13 11:26:30 UTC

sparc stable

Comment 10 Agostino Sarubbo 2020-05-13 11:27:38 UTC

amd64 stable

Comment 11 Agostino Sarubbo 2020-05-13 11:28:39 UTC

arm stable

Comment 12 Agostino Sarubbo 2020-05-13 11:29:31 UTC

ppc64 stable

Comment 13 Agostino Sarubbo 2020-05-13 11:31:23 UTC

x86 stable

Comment 14 Agostino Sarubbo 2020-05-13 17:13:23 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 15 Larry the Git Cow 2020-05-13 17:20:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b998533b5bae4ff911d11eb2ece787fd4a9e4c8

commit 4b998533b5bae4ff911d11eb2ece787fd4a9e4c8
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-05-13 17:19:39 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-05-13 17:19:57 +0000

    mail-mta/exim: security cleanup
    
    Bug: https://bugs.gentoo.org/722484
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest                             |   2 -
 mail-mta/exim/exim-4.92.3.ebuild                   | 581 ---------------------
 .../exim/files/exim-4.82-makefile-freebsd.patch    |  45 --
 .../exim/files/exim-4.89-as-needed-ldflags.patch   | 145 -----
 .../files/exim-4.92-fix-eval-expansion-32bit.patch |  51 --
 .../exim/files/exim-4.92-localscan_dlopen.patch    | 267 ----------
 6 files changed, 1091 deletions(-)

Comment 16 Sam James 2020-05-13 20:18:16 UTC

Thanks!