511686 – (CVE-2014-2957) <mail-mta/exim-4.82.1: remote code execution flaw (CVE-2014-2957)

Bug 511686 (CVE-2014-2957) - <mail-mta/exim-4.82.1: remote code execution flaw (CVE-2014-2957)

Summary: <mail-mta/exim-4.82.1: remote code execution flaw (CVE-2014-2957)

Status:	RESOLVED FIXED

Alias:	CVE-2014-2957

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://lists.exim.org/lurker/message...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-05-28 12:44 UTC by Vladimir Varlamov
Modified:	2014-05-29 16:49 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Varlamov 2014-05-28 12:44:53 UTC

CVE-2014-2957 fixed in 4.82.1, introduced in 4.82: used untrusted 
ata when parsing the From header in Experimental DMARC code and 
allowed macro expansion.

only for mail-mta/exim[dmarc]
4.82.1 released

Reproducible: Always

Comment 1 Agostino Sarubbo gentoo-dev

2014-05-28 13:13:15 UTC

Thanks for the report.

Comment 2 Yury German Gentoo Infrastructure

2014-05-29 14:28:08 UTC

Since DMARC was only introduced in 4.82, and 4.82 is not stable. If we remove the vulnerable versions we should be good:

Please cleanup:

4.82 & 4.82-r1

Thank you

Comment 3 Fabian Groffen gentoo-dev

2014-05-29 16:47:25 UTC

4.82 and 4.82-r1 removed