Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 439734 (CVE-2012-5671) - <mail-mta/exim-4.80.1 : DKIM DNS Decoding Buffer Overflow Vulnerability (CVE-2012-5671)
Summary: <mail-mta/exim-4.80.1 : DKIM DNS Decoding Buffer Overflow Vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2012-5671
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://article.gmane.org/gmane.mail.e...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-26 09:26 UTC by Fabian Groffen
Modified: 2014-01-27 12:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Groffen gentoo-dev 2012-10-26 09:26:39 UTC
dkim USE-flag is by default enabled on Gentoo, so I'd like to have this stabilised ASAP, with security team blessings.  Please advice.
Comment 1 Agostino Sarubbo gentoo-dev 2012-10-26 09:33:57 UTC
4.80.1 is the fixed version?
Comment 2 Fabian Groffen gentoo-dev 2012-10-26 09:47:20 UTC
yup, committed this morning
Comment 3 Agostino Sarubbo gentoo-dev 2012-10-26 10:44:28 UTC
Arches, please test and mark stable:
=mail-mta/exim-4.80.1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-10-26 14:33:23 UTC
amd64 stable
Comment 5 Jeroen Roovers gentoo-dev 2012-10-26 17:15:41 UTC
Stable for HPPA.
Comment 6 Tobias Klausmann gentoo-dev 2012-10-27 11:39:33 UTC
Stable on alpha.
Comment 7 Anthony Basile gentoo-dev 2012-10-29 02:44:18 UTC
stable ppc ppc64
Comment 8 Andreas Schürch gentoo-dev 2012-10-30 17:56:21 UTC
x86 done.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-11-02 00:42:23 UTC
CVE-2012-5671 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5671):
  Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c
  in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect
  and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify,"
  allows remote attackers to execute arbitrary code via an email from a
  malicious DNS server.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-11-11 16:30:08 UTC
ia64/sparc stable
Comment 11 Sean Amoss gentoo-dev Security 2012-11-12 11:45:07 UTC
Thanks, everyone.

Added to existing GLSA draft.
Comment 12 Fabian Groffen gentoo-dev 2013-03-23 18:27:43 UTC
@security: please close this bug, all offending versions are gone
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 12:37:14 UTC
This issue was resolved and addressed in
 GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).