Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366369 (CVE-2011-1407) - <mail-mta/exim-4.76: DKIM logging format string vulnerability (CVE-2011-{1407,1764})
Summary: <mail-mta/exim-4.76: DKIM logging format string vulnerability (CVE-2011-{1407...
Status: RESOLVED FIXED
Alias: CVE-2011-1407
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.exim.org/lurker/message...
Whiteboard: B1 [glsa]
Keywords:
: 366389 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-05-07 18:04 UTC by Adrian
Modified: 2014-01-27 12:37 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian 2011-05-07 18:04:27 UTC
As written on [1], <=exim-4.75 has a security hole that can be used by a remote attacker to execute arbitrary code. A patch is available that applies fine to the currently-stable 4.74 in portage.

[1]: https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html

Reproducible: Didn't try

Steps to Reproduce:
No exploit in the wild yet, so I simply believe the devs that the hole is real.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-07 18:44:23 UTC
Patch: http://git.exim.org/exim.git/commitdiff_plain/337e3505b0e6cd4309db6bf6062b33fa56e06cf8

Please provide an updated ebuild.
Comment 2 Fabian Groffen gentoo-dev 2011-05-07 19:13:44 UTC
I've added 4.75-r1, please stable this version.  It's been scheduled for stabling, and monday 4.76 will be released (which includes the secfix).
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-05-07 19:26:52 UTC
*** Bug 366389 has been marked as a duplicate of this bug. ***
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-05-07 19:32:22 UTC
Arches, please test and mark stable:
=mail-mta/exim-4.75-r1
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-05-08 01:15:29 UTC
amd64 ok
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2011-05-08 12:05:06 UTC
x86 stable
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-05-08 22:13:15 UTC
amd64 done ( sorry for the spam )
Comment 8 Gerrit Helm 2011-05-09 17:06:49 UTC
Where is the point in stabling mail-mta/exim-4.75-r1?
Today exim-4.76-rc1 is released which contains the fixes for these holes.

>> https://lists.exim.org/lurker/message/20110509.091632.daed0206.en.html

Can someone please add this to the treee so we can stable this version?

Thanks..
Comment 9 Fabian Groffen gentoo-dev 2011-05-09 17:18:15 UTC
4.76 contains more stuff next to the security fix.  Since we know 4.75 runs solid, and -r1 only has the backport of the fix added, that one is candidate for stabling.  4.76 will be candidate for stabling in minimally 30 days from the moment it has been added to the tree.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-09 18:44:33 UTC
Stable for HPPA.
Comment 11 Fabian Groffen gentoo-dev 2011-05-12 10:43:07 UTC
On 2011-05-09 at 05:16 -0400, Phil Pennock wrote:
> This is a SECURITY release: Exim versions 4.70 up to and including 4.75       
> contained a security hole (format string attack) permitting remote            
> execution of arbitrary code as the Exim run-time user.  This is               
> CVE-2011-1764.  There is also another, lesser security issue.  Both lie       
> in the DKIM code and mitigation techniques are described below.               

Further analysis revealed that the second security was more severe than
I realised at the time that I wrote the announcement.  The second
security issue has been assigned CVE-2011-1407 and is also a remote code
execution flaw.  For clarity: both issues were introduced with 4.70.


This means stabling 4.75-r1 is IMO close pointless.  I'll try to fix the 4.76 bugs tonight, such that the security team can decide to stable it, if they wish to.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-05-13 15:35:55 UTC
(In reply to comment #11)
> This means stabling 4.75-r1 is IMO close pointless.  I'll try to fix the 4.76
> bugs tonight, such that the security team can decide to stable it, if they wish
> to.

Ok, thank you for the update. I see 4.76 is in the tree now. Is that ready for stabilization?
Comment 13 Fabian Groffen gentoo-dev 2011-05-13 15:44:40 UTC
yes it is, thanks
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-05-13 15:49:58 UTC
(In reply to comment #13)
> yes it is, thanks

Great, thanks.

Arches, please test and mark stable:
=mail-mta/exim-4.76
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 15 Agostino Sarubbo gentoo-dev 2011-05-13 19:02:30 UTC
works as precedent
Comment 16 Markos Chandras (RETIRED) gentoo-dev 2011-05-13 23:01:20 UTC
amd64 done. Thanks Agostino
Comment 17 Thomas Kahle (RETIRED) gentoo-dev 2011-05-14 08:42:13 UTC
x86 stable. Thanks
Comment 18 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-14 10:25:15 UTC
ppc/ppc64 stable
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2011-05-14 19:20:37 UTC
alpha/ia64/sparc stable
Comment 20 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-16 18:42:15 UTC
Stable for HPPA.
Comment 21 Tim Sammut (RETIRED) gentoo-dev 2011-05-16 18:46:48 UTC
Thanks everyone. Added to existing GLSA request.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 02:18:42 UTC
CVE-2011-1407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1407):
  The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM
  identities to apply to lookup items, instead of only strings, which allows
  remote attackers to execute arbitrary code or access a filesystem via a
  crafted identity.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:36:28 UTC
CVE-2011-1764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1764):
  Format string vulnerability in the dkim_exim_verify_finish function in
  src/dkim.c in Exim before 4.76 might allow remote attackers to execute
  arbitrary code or cause a denial of service (daemon crash) via format string
  specifiers in data used in DKIM logging, as demonstrated by an identity
  field containing a % (percent) character.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 12:37:11 UTC
This issue was resolved and addressed in
 GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).