Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701282 (CVE-2019-16928) - <mail-mta/exim-4.92.3: remotely triggerable buffer overflow in string_vformat() (CVE-2019-16928)
Summary: <mail-mta/exim-4.92.3: remotely triggerable buffer overflow in string_vformat...
Status: RESOLVED FIXED
Alias: CVE-2019-16928
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.exim.org/show_bug.cgi?id...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-26 23:02 UTC by psp
Modified: 2020-03-20 18:51 UTC (History)
1 user (show)

See Also:
Package list:
mail-mta/exim-4.92.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description psp 2019-11-26 23:02:38 UTC
Exim 4.92 through 4.92.2 are vulnerable to buffer overflow via crafted EHLO command.

As of writing, mail-mta/exim-4.92.3 is in portage but not marked stable.
Comment 1 Sam James (sam_c) (security padawan) 2020-03-01 16:55:32 UTC
CVE: CVE-2019-16928
Comment 2 Agostino Sarubbo gentoo-dev 2020-03-01 21:45:09 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-03-02 12:28:33 UTC
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-02 12:29:58 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-02 12:32:43 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-02 12:40:18 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-02 15:23:44 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-03 07:54:48 UTC
ia64 stable
Comment 9 Hans F. Nordhaug 2020-03-13 09:46:49 UTC
Why aren't version 4.92.2 and 4.92.3 removed from portage yet? 

I see that "Gentoo Security" is assigned so I would also expect a GLSA. Maybe the security team is overloaded/uderstaffed?
Comment 10 Sam James (sam_c) (security padawan) 2020-03-13 11:00:26 UTC
(In reply to Hans F. Nordhaug from comment #9)
> Why aren't version 4.92.2 and 4.92.3 removed from portage yet? 
> 
> I see that "Gentoo Security" is assigned so I would also expect a GLSA.
> Maybe the security team is overloaded/uderstaffed?

Our process is:
1) Stabilise a patched version first;
2) Cleanup;
3) GLSA if applicable (may go to vote or immediate no GLSA if unstable)

Here, we are waiting on an arch team (HPPA). After an amount of time, we can poke arch times though, but some are smaller/busier than others.

We are always happy to have new volunteers. I recently joined as a security padawan when only 1 person was active really, a few have now returned, but definitely need more help.

This bug in particular as you can see had a poke and then ago was able to move on the bug.
Comment 11 Rolf Eike Beer 2020-03-20 08:39:39 UTC
Feel free to clean up, it's fine that exim is ~hppa only.
Comment 12 Larry the Git Cow gentoo-dev 2020-03-20 08:50:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab06f843318c1b0b73d403e074b9ea75ac1f396c

commit ab06f843318c1b0b73d403e074b9ea75ac1f396c
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-03-20 08:50:12 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-03-20 08:50:12 +0000

    mail-mta/exim-4.92.2: drop vulnerable version (dropping hppa stable)
    
    hppa expressed to be ok with Exim dropped to ~hppa for them
    https://bugs.gentoo.org/701282#c11
    
    Bug: https://bugs.gentoo.org/701282
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest           |   2 -
 mail-mta/exim/exim-4.92.2.ebuild | 581 ---------------------------------------
 2 files changed, 583 deletions(-)
Comment 13 Thomas Deutschmann gentoo-dev Security 2020-03-20 18:43:22 UTC
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 18:51:04 UTC
This issue was resolved and addressed in
 GLSA 202003-47 at https://security.gentoo.org/glsa/202003-47
by GLSA coordinator Thomas Deutschmann (whissi).