Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 722484 (CVE-2020-12783) - <mail-mta/exim-4.93.0.4-r1: Authentication bypass with SPA/NTLM (CVE-2020-12783)
Summary: <mail-mta/exim-4.93.0.4-r1: Authentication bypass with SPA/NTLM (CVE-2020-12783)
Status: RESOLVED FIXED
Alias: CVE-2020-12783
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.exim.org/show_bug.cgi?id...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-11 15:06 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-18 03:08 UTC (History)
1 user (show)

See Also:
Package list:
=mail-mta/exim-4.93.0.4-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-05-11 15:06:07 UTC
Details forthcoming.
Comment 1 Sam James archtester gentoo-dev Security 2020-05-11 15:07:11 UTC
Description:
"Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c."

Patches:
https://git.exim.org/exim.git/commit/57aa14b216432be381b6295c312065b2fd034f86
https://git.exim.org/exim.git/commit/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
Comment 2 Sam James archtester gentoo-dev Security 2020-05-12 15:16:42 UTC
Please apply the provided patches, or do you prefer to wait for a release?
Comment 3 Fabian Groffen gentoo-dev 2020-05-12 17:35:42 UTC
upstream seems to be discussing what to do here, but I guess we can also pull the patches.  There was a dispute at first, so I was waiting for a concensus there.
Comment 4 Sam James archtester gentoo-dev Security 2020-05-12 17:37:55 UTC
(In reply to Fabian Groffen from comment #3)
> upstream seems to be discussing what to do here, but I guess we can also
> pull the patches.  There was a dispute at first, so I was waiting for a
> concensus there.

Sure, if you prefer to wait, that is fine. I see what you mean about the dispute re the first patch.
Comment 5 Larry the Git Cow gentoo-dev 2020-05-13 07:45:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1468afd12e683a61448e2ff58c47e54715f0ff29

commit 1468afd12e683a61448e2ff58c47e54715f0ff29
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-05-13 07:44:37 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-05-13 07:45:13 +0000

    mail-mta/exim-4.93.0.4-r1: revbump for CVE-2020-12783
    
    Bug: https://bugs.gentoo.org/722484
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 ...xim-4.93.0.4.ebuild => exim-4.93.0.4-r1.ebuild} |  1 +
 mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch | 83 ++++++++++++++++++++++
 2 files changed, 84 insertions(+)
Comment 6 Sam James archtester gentoo-dev Security 2020-05-13 08:13:09 UTC
Thanks! Let us know when you are ready for stabilisation.
Comment 7 Fabian Groffen gentoo-dev 2020-05-13 08:14:47 UTC
I have no way to test SPA auth, so since I've been running 4.93.0.4 for a while now, from my point of view we're good to go.
Comment 8 Sam James archtester gentoo-dev Security 2020-05-13 08:26:50 UTC
(In reply to Fabian Groffen from comment #7)
> I have no way to test SPA auth, so since I've been running 4.93.0.4 for a
> while now, from my point of view we're good to go.

Cool. Let's do it.
Comment 9 Agostino Sarubbo gentoo-dev 2020-05-13 11:26:30 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-05-13 11:27:38 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-05-13 11:28:39 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-05-13 11:29:31 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-05-13 11:31:23 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-05-13 17:13:23 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Larry the Git Cow gentoo-dev 2020-05-13 17:20:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b998533b5bae4ff911d11eb2ece787fd4a9e4c8

commit 4b998533b5bae4ff911d11eb2ece787fd4a9e4c8
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-05-13 17:19:39 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-05-13 17:19:57 +0000

    mail-mta/exim: security cleanup
    
    Bug: https://bugs.gentoo.org/722484
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest                             |   2 -
 mail-mta/exim/exim-4.92.3.ebuild                   | 581 ---------------------
 .../exim/files/exim-4.82-makefile-freebsd.patch    |  45 --
 .../exim/files/exim-4.89-as-needed-ldflags.patch   | 145 -----
 .../files/exim-4.92-fix-eval-expansion-32bit.patch |  51 --
 .../exim/files/exim-4.92-localscan_dlopen.patch    | 267 ----------
 6 files changed, 1091 deletions(-)
Comment 16 Sam James archtester gentoo-dev Security 2020-05-13 20:18:16 UTC
Thanks!