Comment 1 Fabian Groffen 2022-08-06 18:24:56 UTC

This was not silently fixed, I made noise about this, and since this was considered not a big deal, we don't have 4.95 in the tree (I retracted the build-animal, for it wasn't used/acted on anyway) and 4.96 is for similar reasons masked, for newer releases of Exim are just unusable.

I suggest you close this issue, as we simply don't "suffer" from this problem.

% q -mvv exim
# Fabian Groffen <grobian@gentoo.org> (2022-07-02)
# Segfaults handling SPF validations (warn on permerror), like the
# previous release, better not to trust your important mail to
~mail-mta/exim-4.96

Comment 2 John Helmert III 2022-08-07 00:07:56 UTC

(In reply to Fabian Groffen from comment #1)
> This was not silently fixed, I made noise about this, and since this was
> considered not a big deal, we don't have 4.95 in the tree (I retracted the
> build-animal, for it wasn't used/acted on anyway) and 4.96 is for similar
> reasons masked, for newer releases of Exim are just unusable.
> 
> I suggest you close this issue, as we simply don't "suffer" from this
> problem.

The version with the patch is masked, but I'm not sure how that means it doesn't affect us?

Comment 3 John Helmert III 2022-08-07 00:10:32 UTC

There is another:

https://github.com/ivd38/exim_overflow
https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743
https://www.openwall.com/lists/oss-security/2022/08/06/8

The first issue is CVE-2022-37451.

Comment 4 John Helmert III 2022-08-07 22:46:49 UTC

CVE-2022-37452:

Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.

Comment 5 Fabian Groffen 2022-08-09 18:31:38 UTC

(In reply to John Helmert III from comment #2)
> The version with the patch is masked, but I'm not sure how that means it
> doesn't affect us?

It was introduced in 4.95, a version which we no longer have in the tree.  So 4.94 and 4.96 are fine.

(In reply to John Helmert III from comment #3)
> There is another:
> 
> https://github.com/ivd38/exim_overflow
> https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743
> https://www.openwall.com/lists/oss-security/2022/08/06/8
> 
> The first issue is CVE-2022-37451.

This one is included in 4.94.2-r8 via bug #799368, and available upstream since 4.95.

Comment 6 John Helmert III 2022-08-10 04:42:53 UTC

(In reply to Fabian Groffen from comment #5)
> (In reply to John Helmert III from comment #2)
> > The version with the patch is masked, but I'm not sure how that means it
> > doesn't affect us?
> 
> It was introduced in 4.95, a version which we no longer have in the tree. 
> So 4.94 and 4.96 are fine.
> 
> (In reply to John Helmert III from comment #3)
> > There is another:
> > 
> > https://github.com/ivd38/exim_overflow
> > https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743
> > https://www.openwall.com/lists/oss-security/2022/08/06/8
> > 
> > The first issue is CVE-2022-37451.
> 
> This one is included in 4.94.2-r8 via bug #799368, and available upstream
> since 4.95.

Ah, thanks!