Comment 1 Sam James 2021-05-04 13:57:28 UTC

Summary
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary file creation and clobbering
- CVE-2021-27216: Arbitrary file deletion
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()
Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Comment 2 Sam James 2021-05-04 13:58:43 UTC

Please bump.

Comment 3 Tobias Klausmann (RETIRED) 2021-05-04 15:16:45 UTC

Bumping (and dropping the PAM taint patch) worked for me. Seeing as this has remote exploit potential, do we want to go ahead without waiting for the maintainer?

Comment 4 Fabian Groffen 2021-05-04 15:40:46 UTC

no, please wait, a news item for Exim must be out of the door before I bump this, I'll break the 72-hour rule and do it now

Comment 5 Sam James 2021-05-04 15:48:50 UTC

(In reply to Tobias Klausmann from comment #3)
> Bumping (and dropping the PAM taint patch) worked for me. Seeing as this has
> remote exploit potential, do we want to go ahead without waiting for the
> maintainer?

Thanks for asking (genuinely, I’d rather have two people happy to do it than none). Luckily, Fabian is around…

(In reply to Fabian Groffen from comment #4)
> no, please wait, a news item for Exim must be out of the door before I bump
> this, I'll break the 72-hour rule and do it now

Fantastic, go for it. I wish they’d not combined it with breaking changes…

Comment 6 Larry the Git Cow 2021-05-04 15:48:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ddfa885089b0c76a0c0c57a5fcebf42948203d4

commit 3ddfa885089b0c76a0c0c57a5fcebf42948203d4
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-05-04 15:47:19 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-05-04 15:47:19 +0000

    mail-mta/exim-4.94.2: version bump
    
    Bug: https://bugs.gentoo.org/786945
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest           |   2 +
 mail-mta/exim/exim-4.94.2.ebuild | 616 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 618 insertions(+)

Comment 7 Sam James 2021-05-04 19:14:44 UTC

arm done

Comment 8 Sam James 2021-05-04 19:17:14 UTC

ppc64 done

Comment 9 Sam James 2021-05-04 19:17:36 UTC

ppc done

Comment 10 Sam James 2021-05-04 19:20:20 UTC

x86 done

Comment 11 Sam James 2021-05-04 19:20:34 UTC

amd64 done

Comment 12 GLSAMaker/CVETool Bot 2021-05-04 19:32:51 UTC

This issue was resolved and addressed in
 GLSA 202105-01 at https://security.gentoo.org/glsa/202105-01
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 13 Thomas Deutschmann (RETIRED) 2021-05-04 19:33:27 UTC

Re-opening for remaining architecture.

Comment 14 Sam James 2021-05-04 19:36:05 UTC

Unfortunately catbus is down right now, so Dakon may need to..

Comment 15 Sam James 2021-05-04 21:35:56 UTC

*** Bug 788223 has been marked as a duplicate of this bug. ***

Comment 16 Rolf Eike Beer 2021-05-05 18:07:16 UTC

sparc stable

Comment 17 Sam James 2021-05-05 18:12:08 UTC

Please cleanup.

Comment 18 Larry the Git Cow 2021-05-05 18:43:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51ce2b02fc364a4a963c913edfc47084c3daa8ad

commit 51ce2b02fc364a4a963c913edfc47084c3daa8ad
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-05-05 18:43:16 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-05-05 18:43:26 +0000

    mail-mta/exim: cleanup
    
    Bug: https://bugs.gentoo.org/786945
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-mta/exim/Manifest                             |   4 -
 mail-mta/exim/exim-4.93.0.4-r2.ebuild              | 592 --------------------
 mail-mta/exim/exim-4.94-r2.ebuild                  | 593 --------------------
 mail-mta/exim/exim-4.94-r3.ebuild                  | 617 ---------------------
 mail-mta/exim/files/exim-4.20-maildir.patch        |  14 -
 mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch |  83 ---
 mail-mta/exim/files/exim-4.93-fno-common.patch     |  16 -
 .../exim/files/exim-4.93-localscan_dlopen.patch    | 269 ---------
 mail-mta/exim/files/exim-4.93-radius.patch         |  66 ---
 .../exim/files/exim-4.94-taint-pam-expansion.patch |  35 --
 10 files changed, 2289 deletions(-)

Comment 19 NATTkA bot 2021-05-08 08:24:22 UTC

Unable to check for sanity:

> no match for package: mail-mta/exim-4.94.2

Comment 20 Thomas Deutschmann (RETIRED) 2021-05-08 11:41:45 UTC

Repository is clean, all done!