Debian Bug report logs -
#947198
sa-exim: CVE-2019-19920
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>
:
Bug#946829
; Package sa-exim
.
(Mon, 16 Dec 2019 10:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco Gaiarin <gaio@sv.lnf.it>
:
New Bug report received and forwarded. Copy sent to Magnus Holmgren <holmgren@debian.org>
.
(Mon, 16 Dec 2019 10:33:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sa-exim
Version: 4.2.1-16
Severity: normal
Dear Maintainer,
After upgrading SA (security update, 3.4.2-1~deb9u2) i got on logs a flood of:
Dec 16 10:04:53 vdmpp1 spamd[15196]: rules: failed to run GREYLIST_ISWHITE test, skipping:
Dec 16 10:04:53 vdmpp1 spamd[15196]: (Insecure dependency in eval while running with -T switch at /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 76.
Dec 16 10:04:53 vdmpp1 spamd[15196]: )
probably, the security changes added into the upgraded SA 'broke' something on sa-exim.
-- System Information:
Debian Release: 9.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sa-exim depends on:
ii debconf [debconf-2.0] 1.5.61
ii exim4-daemon-heavy [exim4-localscanapi-2.0] 4.89-2+deb9u6
ii libc6 2.24-11+deb9u4
ii libnetaddr-ip-perl 4.079+dfsg-1+b1
ii spamc 3.4.2-1~deb9u2
Versions of packages sa-exim recommends:
ii perl 5.24.1-3+deb9u5
Versions of packages sa-exim suggests:
ii spamassassin 3.4.2-1~deb9u2
-- debconf information:
sa-exim/purge_spool: false
Information forwarded
to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>
:
Bug#946829
; Package sa-exim
.
(Mon, 16 Dec 2019 11:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco Gaiarin <gaio@sv.lnf.it>
:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>
.
(Mon, 16 Dec 2019 11:21:05 GMT) (full text, mbox, link).
Message #10 received at 946829@bugs.debian.org (full text, mbox, reply):
https://sourceforge.net/p/sa-exim/bugs/3/
Information forwarded
to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>
:
Bug#946829
; Package sa-exim
.
(Tue, 17 Dec 2019 00:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Logan Gunthorpe <logang@deltatee.com>
:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>
.
(Tue, 17 Dec 2019 00:15:04 GMT) (full text, mbox, link).
Message #15 received at 946829@bugs.debian.org (full text, mbox, reply):
I've also hit this issue.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 19 Dec 2019 06:42:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>
:
Bug#946829
; Package sa-exim
.
(Thu, 19 Dec 2019 07:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Henrik Krohns <hege@hege.li>
:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>
.
(Thu, 19 Dec 2019 07:21:02 GMT) (full text, mbox, link).
Message #24 received at 946829@bugs.debian.org (full text, mbox, reply):
Hello,
This was really a vulnerability which allowed running any perl code or
commands (even as root), for anyone able to write .cf files/rules.
The bug is mitigated in SpamAssassin 3.4.3, which properly taints
configuration strings, and results in Perl complaining and not running
Greylisting.pm at all.
I've made a proper patch which addresses both the vulnerability and 3.4.3
compatibility.
=====================================================================
--- Greylisting.pm.orig 2019-12-18 17:49:40.351383764 +0200
+++ Greylisting.pm 2019-12-18 22:30:03.745497552 +0200
@@ -21,6 +21,7 @@
use strict;
use Mail::SpamAssassin::Plugin;
+use Mail::SpamAssassin::Util qw(untaint_var);
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new
@@ -65,9 +66,25 @@
Mail::SpamAssassin::Plugin::dbg("GREYLISTING: called function");
- $optionhash =~ s/;/,/g;
+ #$optionhash =~ s/;/,/g;
# This is safe, right? (users shouldn't be able to set it in their config)
- %option=eval $optionhash;
+ #%option=eval $optionhash;
+
+ # ... no, evaling random strings is not safe!!!
+ # Ditch eval and parse hash string manually to maintain backwards compatibility
+ $optionhash =~ s/^\s*\(\s*//;
+ $optionhash =~ s/\s*\)\s*$//;
+ foreach my $opt (split(/\s*;\s*/, $optionhash)) {
+ my @vals = split(/\s*=>\s*/, $opt, 2);
+ next unless defined $vals[1];
+ # Sanitize away quotes and any unneeded characters, then untaint
+ foreach (@vals) {
+ s/[^\w\/-]//gs;
+ $_ = untaint_var($_);
+ }
+ $option{$vals[0]} = $vals[1];
+ }
+
$self->{'rangreylisting'}=1;
foreach my $reqoption (qw ( method greylistsecs dontgreylistthreshold
=====================================================================
Cheers,
Henrik
Information forwarded
to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>
:
Bug#946829
; Package sa-exim
.
(Thu, 19 Dec 2019 10:45:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco Gaiarin <gaio@sv.lnf.it>
:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>
.
(Thu, 19 Dec 2019 10:45:09 GMT) (full text, mbox, link).
Message #29 received at 946829@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I can confirm that patch works as expected.
Patch does not apply cleanly on my SA (3.4.2-1~deb9u2) but only for
cosmetic differences, attached a patch that wok on SA 3.4.2-1~deb9u2.
Thanks!
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
[Greylisting.pm.diff (text/x-diff, attachment)]
Added indication that 946829 affects release.debian.org and security.debian.org
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 19 Dec 2019 16:09:05 GMT) (full text, mbox, link).
Severity set to 'serious' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 21 Dec 2019 21:45:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>
:
Bug#946829
; Package sa-exim
.
(Sun, 22 Dec 2019 19:42:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>
.
(Sun, 22 Dec 2019 19:42:15 GMT) (full text, mbox, link).
Message #38 received at 946829@bugs.debian.org (full text, mbox, reply):
Control: clone 946829 -1
Control: retitle -1 sa-exim: CVE-2019-19920
Control: tags -1 + security
Hi,
On Thu, Dec 19, 2019 at 09:06:13AM +0200, Henrik Krohns wrote:
>
> Hello,
>
> This was really a vulnerability which allowed running any perl code or
> commands (even as root), for anyone able to write .cf files/rules.
MITRE has assigned CVE-2019-19920 for this issue itself. As your patch
adresses both the vulnerability and the compatibility I'm still just
for distinction, I'm cloning this bug accordingly (but patch can close
then both bugs).
https://marc.info/?l=spamassassin-users&m=157668107325768&w=2
https://marc.info/?l=spamassassin-users&m=157668305026635&w=2
Regards,
Salvatore
Bug 946829 cloned as bug 947198
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 946829-submit@bugs.debian.org
.
(Sun, 22 Dec 2019 19:42:15 GMT) (full text, mbox, link).
Changed Bug title to 'sa-exim: CVE-2019-19920' from 'sa-exim: After upgrade SA: GREYLIST_ISWHITE skipped, insecure dependencies'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 946829-submit@bugs.debian.org
.
(Sun, 22 Dec 2019 19:42:16 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 946829-submit@bugs.debian.org
.
(Sun, 22 Dec 2019 19:42:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Dec 23 09:08:58 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.