Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140528145721.GA66770@redoubt.spodhuis.org>
Date: Wed, 28 May 2014 10:57:21 -0400
From: Phil Pennock <oss-security-phil@...dhuis.org>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: Fwd: [exim-announce] Exim 4.82.1 Security Release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Short version: Exim MTA, CVE-2014-2957, remote code execution based on
email header content when built with the EXPERIMENTAL_DMARC option.
Flaw introduced with that option in Exim 4.82, which was previously the
current release; no prior releases affected.  EXPERIMENTAL_DMARC is not
on by default.  4.82.1 is 4.82 with only this fix.  Exploitation
difficulty should be considered "trivial".

(We're also about to start the RC series for 4.83, which has many many
 more changes; this issue warranted backport).

Heads-up went to packagers who've worked closely with us in the past
and, I believe, belatedly to linux-distros@.  That included the new
release tarballs and the separated out patch, also PGP-signed (by an
Exim Maintainer key in the Strong Set, per our policy, to maximise
chances of verifiability).

Root cause: lack of more experienced Exim developer oversight in
reviewing commits, given the nature of the comment attached to the bad
code:

 http://git.exim.org/exim.git/commitdiff/5b7a7c051c9ab9ee7c924a611f90ef2be03e0ad0

Also: layer violation, a highly convenient language for configuration
and a lack of tainting at the C level to catch this and scream, when
untrusted data is inserted via %s formatting into a string which is then
expanded with the full power of the configuration language.  Morally
equivalent to "shell eval of header content".

Regards,
- -Phil, pdp@...m.org

- ----- Forwarded message from Todd Lyons <tlyons@...m.org> -----

From: Todd Lyons <tlyons@...m.org>
Subject: [exim-announce] Exim 4.82.1 Security Release
To: Exim Dev <exim-dev@...m.org>, Exim Users <exim-users@...m.org>, Exim Announce <exim-announce@...m.org>
Date: Wed, 28 May 2014 13:25:36 +0100
Message-ID: <20140528122535.GA28379@...m.org>

Exim release 4.82.1 is now available from the primary ftp site:
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.82.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-4.82.1.tar.bz2
_________________________________________________________________

This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in Exim version 4.82 (only) when built with DMARC support (an
experimental feature, not on by default).  This release is identical to
4.82 except for the small change needed to plug the security hole.  The
next release of Exim will, eventually, be 4.83, which will include the
many improvements we've made since 4.82, but which will require the
normal release candidate baking process before release.

You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC.

This issue is known by the CVE ID of CVE-2014-2957, was reported
directly to the Exim development team by a company which uses Exim for
its mail server.  An Exim developer constructed a small patch which
altered the way the contents of the From header is parsed by converting
it to use safer and better internal functions.  It was applied and
tested on a production server for correctness.  We were notified of the
vulnerability Friday night, created a patch on Saturday, applied and
tested it on Sunday, notified OS packagers on Monday/Tuesday, and are
releasing on the next available work day, which is Wednesday.

This is why we have made the smallest feasible changes to prevent
exploit: we want this chagne to be as safe as possible to expedite into
production (if the packages were built with DMARC).

_________________________________________________________________

The primary ftp server is in Cambridge, England. There is a list of
mirrors in:
* http://www.exim.org/mirmon/ftp_mirrors.html

The master ftp server is ftp.exim.org, which is also accessible at
http://ftp.exim.org.

The distribution files are signed with Todd Lyons' PGP key
0xC4F4F94804D29EBA (uid tlyons@...m.org with a strong relationship to
prior release engineer Phil Pennock's PGP key 0x403043153903637F).  This
key should be available from all modern PGP keyservers.  Please use your
own discretion in assessing what trust paths you might have to this uid;
the "Release verification" section of the Release Policy might be of
assistance:

* http://wiki.exim.org/EximReleasePolicy

The detached ASCII signature files are in the same directory as the
tarbundles. The SHA256 hashes for the distribution files are at the end
of this email.

The distribution contains an ASCII copy of the 4.82.1 manual and
other documents. Other formats of the documentation are also
available:-
* ftp://ftp.exim.org/pub/exim/exim4/exim-html-4.82.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-pdf-4.82.1.tar.gz
* ftp://ftp.exim.org/pub/exim/exim4/exim-postscript-4.82.1.tar.gz

The .bz2 versions of these tarbundles are also available.

The only change is this bugfix, thus no ChangeLog-4.82.1 file.
There are no new features, thus no NewStuff-4.82.1 file.

_________________________________________________________________

Release Checksums

SHA256:
51798cead70b9ca03df88afb63f7a0cabedee8ef82c02bd18d67591c08b14500 exim-4.82.1.tar.bz2
f06f34ab599cd84be605b3a00e0fac81f93d9be46d5b9466ac9b38ac5e12dc4c exim-4.82.1.tar.bz2.asc
b8935b31b842cfd77afb345390c07d7b8524a7083fa1963ca7577a66d83d8df0 exim-4.82.1.tar.gz
60487f824f5c8601c21d0ffd70ab56b3d9bc6c62daa801feddee7a49fb8a857d exim-4.82.1.tar.gz.asc
81d0237cff64b259d47c758d5c82da93bd2e7b8ce048974d53d90e597eee122e exim-html-4.82.1.tar.bz2
6f684c90f817a8c41454272310f1a949026a0998c27739493a3c0bdc9346a552 exim-html-4.82.1.tar.bz2.asc
b03f2ca40407b16bd287956baee1fb2b215f8bb79e696d50adedc9148331d289 exim-html-4.82.1.tar.gz
57fb26b6870af5681c789c93437278d8601c14b7cd5255cbd466ab0382ea1387 exim-html-4.82.1.tar.gz.asc
2e3705504f22633a14d417ffcb72c6beddc2f142e38ff4f01394b83ae583ff42 exim-pdf-4.82.1.tar.bz2
2c64767ece949306bfa2432d67d1cc9127b9e318147ee01aba912fc2122493ef exim-pdf-4.82.1.tar.bz2.asc
d209d3db1a80a38e1737ba6cd2e155d2a7c93c0db78aafde86025137001ebcf7 exim-pdf-4.82.1.tar.gz
423fd129818af8f60493b233a1dea5c34890e807ed59e772e0d6e0143148fc5b exim-pdf-4.82.1.tar.gz.asc
f9c69153b1da3ef854c73ac98ec5bcef842438c5630819bc2287dec869bd039d exim-postscript-4.82.1.tar.bz2
c8182006eb59d7a909340f0e7eb4611da3c604ef28a98f5b6ceb676b3c6da9a1 exim-postscript-4.82.1.tar.bz2.asc
1d3c1f1c4bdb66c89b82d3925578f4ab29c87f2af4e3e1c1096366bafdfad000 exim-postscript-4.82.1.tar.gz
067a55860b3da017c6d9f23e8df944e9aca2d73f1de65f44b1557f4878f64cb1 exim-postscript-4.82.1.tar.gz.asc


- -- Todd Lyons, pp The Exim Maintainers.

- ----- End forwarded message -----
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJThflIAAoJEKBsj+IM0duFafkH/1ulHdWdJFW1C7Q7esFRLpM1
AADXUWBx0VQ4itwXaIhXpOWSw2SeX8C9qUP96YusKS2BRZWLk41wb3prWP5ehqUE
5xbTKci7HPPO1d+NfmYkWp55WDuKEgTH7d2tCHC8EnHvm+N/drZNOdZfLPz0UBaM
0KmbOFkueLcEr0JzVqHEoIBtjtWONGVzg63Sfmkw3m0KetT8iX6rBN2ekHvUHnti
eKsQ/Y0E8o56OYJ2s/AxDLPs6JMgyIxQV5SjcHZBcb+4PxV0f3dZs5EnCz2ROW1v
MKN3eu6N+um+tss8vTafHltcUn/5LFyoXYLoj33k7Bz1pVcqWH4AhNcITpswEvo=
=4ybl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.