Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 786945 (CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28010, CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28014, CVE-2020-28015, CVE-2020-28016, CVE-2020-28017, CVE-2020-28018, CVE-2020-28019, CVE-2020-28020, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026, CVE-2021-27216) - <mail-mta/exim-4.94.2: multiple vulnerabilities (Nine inch mails)
Summary: <mail-mta/exim-4.94.2: multiple vulnerabilities (Nine inch mails)
Status: RESOLVED FIXED
Alias: CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28010, CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28014, CVE-2020-28015, CVE-2020-28016, CVE-2020-28017, CVE-2020-28018, CVE-2020-28019, CVE-2020-28020, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026, CVE-2021-27216
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.qualys.com/2021/05/04/21n...
Whiteboard: B1 [glsa+ cve]
Keywords:
: 788223 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-04-29 18:44 UTC by Thomas Deutschmann
Modified: 2021-05-08 11:41 UTC (History)
2 users (show)

See Also:
Package list:
mail-mta/exim-4.94.2
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2021-04-29 18:44:36 UTC
Incoming details.
Comment 1 Sam James archtester gentoo-dev Security 2021-05-04 13:57:28 UTC
Summary
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary file creation and clobbering
- CVE-2021-27216: Arbitrary file deletion
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()
Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
Comment 2 Sam James archtester gentoo-dev Security 2021-05-04 13:58:43 UTC
Please bump.
Comment 3 Tobias Klausmann gentoo-dev 2021-05-04 15:16:45 UTC
Bumping (and dropping the PAM taint patch) worked for me. Seeing as this has remote exploit potential, do we want to go ahead without waiting for the maintainer?
Comment 4 Fabian Groffen gentoo-dev 2021-05-04 15:40:46 UTC
no, please wait, a news item for Exim must be out of the door before I bump this, I'll break the 72-hour rule and do it now
Comment 5 Sam James archtester gentoo-dev Security 2021-05-04 15:48:50 UTC
(In reply to Tobias Klausmann from comment #3)
> Bumping (and dropping the PAM taint patch) worked for me. Seeing as this has
> remote exploit potential, do we want to go ahead without waiting for the
> maintainer?

Thanks for asking (genuinely, I’d rather have two people happy to do it than none). Luckily, Fabian is around…

(In reply to Fabian Groffen from comment #4)
> no, please wait, a news item for Exim must be out of the door before I bump
> this, I'll break the 72-hour rule and do it now

Fantastic, go for it. I wish they’d not combined it with breaking changes…
Comment 6 Larry the Git Cow gentoo-dev 2021-05-04 15:48:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ddfa885089b0c76a0c0c57a5fcebf42948203d4

commit 3ddfa885089b0c76a0c0c57a5fcebf42948203d4
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-05-04 15:47:19 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-05-04 15:47:19 +0000

    mail-mta/exim-4.94.2: version bump
    
    Bug: https://bugs.gentoo.org/786945
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest           |   2 +
 mail-mta/exim/exim-4.94.2.ebuild | 616 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 618 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2021-05-04 19:14:44 UTC
arm done
Comment 8 Sam James archtester gentoo-dev Security 2021-05-04 19:17:14 UTC
ppc64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-04 19:17:36 UTC
ppc done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-04 19:20:20 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-04 19:20:34 UTC
amd64 done
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-04 19:32:51 UTC
This issue was resolved and addressed in
 GLSA 202105-01 at https://security.gentoo.org/glsa/202105-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann gentoo-dev Security 2021-05-04 19:33:27 UTC
Re-opening for remaining architecture.
Comment 14 Sam James archtester gentoo-dev Security 2021-05-04 19:36:05 UTC
Unfortunately catbus is down right now, so Dakon may need to..
Comment 15 Sam James archtester gentoo-dev Security 2021-05-04 21:35:56 UTC
*** Bug 788223 has been marked as a duplicate of this bug. ***
Comment 16 Rolf Eike Beer 2021-05-05 18:07:16 UTC
sparc stable
Comment 17 Sam James archtester gentoo-dev Security 2021-05-05 18:12:08 UTC
Please cleanup.
Comment 18 Larry the Git Cow gentoo-dev 2021-05-05 18:43:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51ce2b02fc364a4a963c913edfc47084c3daa8ad

commit 51ce2b02fc364a4a963c913edfc47084c3daa8ad
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-05-05 18:43:16 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-05-05 18:43:26 +0000

    mail-mta/exim: cleanup
    
    Bug: https://bugs.gentoo.org/786945
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest                             |   4 -
 mail-mta/exim/exim-4.93.0.4-r2.ebuild              | 592 --------------------
 mail-mta/exim/exim-4.94-r2.ebuild                  | 593 --------------------
 mail-mta/exim/exim-4.94-r3.ebuild                  | 617 ---------------------
 mail-mta/exim/files/exim-4.20-maildir.patch        |  14 -
 mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch |  83 ---
 mail-mta/exim/files/exim-4.93-fno-common.patch     |  16 -
 .../exim/files/exim-4.93-localscan_dlopen.patch    | 269 ---------
 mail-mta/exim/files/exim-4.93-radius.patch         |  66 ---
 .../exim/files/exim-4.94-taint-pam-expansion.patch |  35 --
 10 files changed, 2289 deletions(-)
Comment 19 NATTkA bot gentoo-dev 2021-05-08 08:24:22 UTC
Unable to check for sanity:

> no match for package: mail-mta/exim-4.94.2
Comment 20 Thomas Deutschmann gentoo-dev Security 2021-05-08 11:41:45 UTC
Repository is clean, all done!