Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

sa-exim: CVE-2019-19920

Related Vulnerabilities: CVE-2019-19920  

Source

Debian Bug report logs - #947198
sa-exim: CVE-2019-19920

version graph

Package: sa-exim; Maintainer for sa-exim is Magnus Holmgren <holmgren@debian.org>; Source for sa-exim is src:sa-exim (PTS, buildd, popcon).

Affects: security.debian.org, release.debian.org

Reported by: Marco Gaiarin <gaio@sv.lnf.it>

Date: Mon, 16 Dec 2019 10:33:05 UTC

Severity: serious

Tags: security, upstream

Found in version sa-exim/4.2.1-16

Forwarded to https://sourceforge.net/p/sa-exim/bugs/3/

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>:
Bug#946829; Package sa-exim. (Mon, 16 Dec 2019 10:33:08 GMT) (full text, mbox, link).

Acknowledgement sent to Marco Gaiarin <gaio@sv.lnf.it>:
New Bug report received and forwarded. Copy sent to Magnus Holmgren <holmgren@debian.org>. (Mon, 16 Dec 2019 10:33:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marco Gaiarin <gaio@sv.lnf.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sa-exim: After upgrade SA: GREYLIST_ISWHITE skipped, insecure dependencies
Date: Mon, 16 Dec 2019 11:22:15 +0100
Package: sa-exim
Version: 4.2.1-16
Severity: normal

Dear Maintainer,

After upgrading SA (security update, 3.4.2-1~deb9u2) i got on logs a flood of:

 Dec 16 10:04:53 vdmpp1 spamd[15196]: rules: failed to run GREYLIST_ISWHITE test, skipping:
 Dec 16 10:04:53 vdmpp1 spamd[15196]:  (Insecure dependency in eval while running with -T switch at /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 76.
 Dec 16 10:04:53 vdmpp1 spamd[15196]: )

probably, the security changes added into the upgraded SA 'broke' something on sa-exim.

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sa-exim depends on:
ii  debconf [debconf-2.0]                        1.5.61
ii  exim4-daemon-heavy [exim4-localscanapi-2.0]  4.89-2+deb9u6
ii  libc6                                        2.24-11+deb9u4
ii  libnetaddr-ip-perl                           4.079+dfsg-1+b1
ii  spamc                                        3.4.2-1~deb9u2

Versions of packages sa-exim recommends:
ii  perl  5.24.1-3+deb9u5

Versions of packages sa-exim suggests:
ii  spamassassin  3.4.2-1~deb9u2

-- debconf information:
  sa-exim/purge_spool: false

Information forwarded to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>:
Bug#946829; Package sa-exim. (Mon, 16 Dec 2019 11:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Marco Gaiarin <gaio@sv.lnf.it>:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>. (Mon, 16 Dec 2019 11:21:05 GMT) (full text, mbox, link).

Message #10 received at 946829@bugs.debian.org (full text, mbox, reply):

From: Marco Gaiarin <gaio@sv.lnf.it>
To: 946829@bugs.debian.org
Subject: Added upstream.
Date: Mon, 16 Dec 2019 12:09:31 +0100
https://sourceforge.net/p/sa-exim/bugs/3/

Information forwarded to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>:
Bug#946829; Package sa-exim. (Tue, 17 Dec 2019 00:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Logan Gunthorpe <logang@deltatee.com>:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>. (Tue, 17 Dec 2019 00:15:04 GMT) (full text, mbox, link).

Message #15 received at 946829@bugs.debian.org (full text, mbox, reply):

From: Logan Gunthorpe <logang@deltatee.com>
To: 946829@bugs.debian.org
Subject: Re: Added upstream.
Date: Mon, 16 Dec 2019 16:51:23 -0700
I've also hit this issue.

Set Bug forwarded-to-address to 'https://sourceforge.net/p/sa-exim/bugs/3/'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Dec 2019 06:42:05 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Dec 2019 06:42:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>:
Bug#946829; Package sa-exim. (Thu, 19 Dec 2019 07:21:02 GMT) (full text, mbox, link).

Acknowledgement sent to Henrik Krohns <hege@hege.li>:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>. (Thu, 19 Dec 2019 07:21:02 GMT) (full text, mbox, link).

Message #24 received at 946829@bugs.debian.org (full text, mbox, reply):

From: Henrik Krohns <hege@hege.li>
To: 946829@bugs.debian.org
Subject: Patch
Date: Thu, 19 Dec 2019 09:06:13 +0200
Hello,

This was really a vulnerability which allowed running any perl code or
commands (even as root), for anyone able to write .cf files/rules.

The bug is mitigated in SpamAssassin 3.4.3, which properly taints
configuration strings, and results in Perl complaining and not running
Greylisting.pm at all.

I've made a proper patch which addresses both the vulnerability and 3.4.3
compatibility.

=====================================================================
--- Greylisting.pm.orig 2019-12-18 17:49:40.351383764 +0200
+++ Greylisting.pm      2019-12-18 22:30:03.745497552 +0200
@@ -21,6 +21,7 @@

 use strict;
 use Mail::SpamAssassin::Plugin;
+use Mail::SpamAssassin::Util qw(untaint_var);
 our @ISA = qw(Mail::SpamAssassin::Plugin);

 sub new
@@ -65,9 +66,25 @@

     Mail::SpamAssassin::Plugin::dbg("GREYLISTING: called function");

-    $optionhash  =~ s/;/,/g;
+    #$optionhash  =~ s/;/,/g;
     # This is safe, right? (users shouldn't be able to set it in their config)
-    %option=eval $optionhash;
+    #%option=eval $optionhash;
+
+    # ... no, evaling random strings is not safe!!!
+    # Ditch eval and parse hash string manually to maintain backwards compatibility
+    $optionhash =~ s/^\s*\(\s*//;
+    $optionhash =~ s/\s*\)\s*$//;
+    foreach my $opt (split(/\s*;\s*/, $optionhash)) {
+       my @vals = split(/\s*=>\s*/, $opt, 2);
+       next unless defined $vals[1];
+       # Sanitize away quotes and any unneeded characters, then untaint
+       foreach (@vals) {
+           s/[^\w\/-]//gs;
+           $_ = untaint_var($_);
+       }
+       $option{$vals[0]} = $vals[1];
+    }
+
     $self->{'rangreylisting'}=1;

     foreach my $reqoption (qw ( method greylistsecs dontgreylistthreshold
=====================================================================

Cheers,
Henrik

Information forwarded to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>:
Bug#946829; Package sa-exim. (Thu, 19 Dec 2019 10:45:09 GMT) (full text, mbox, link).

Acknowledgement sent to Marco Gaiarin <gaio@sv.lnf.it>:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>. (Thu, 19 Dec 2019 10:45:09 GMT) (full text, mbox, link).

Message #29 received at 946829@bugs.debian.org (full text, mbox, reply):

From: Marco Gaiarin <gaio@sv.lnf.it>
To: 946829@bugs.debian.org
Subject: Patch works!
Date: Thu, 19 Dec 2019 11:41:21 +0100
[Message part 1 (text/plain, inline)]
I can confirm that patch works as expected.

Patch does not apply cleanly on my SA (3.4.2-1~deb9u2) but only for
cosmetic differences, attached a patch that wok on SA 3.4.2-1~deb9u2.


Thanks!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

[Greylisting.pm.diff (text/x-diff, attachment)]

Added indication that 946829 affects release.debian.org and security.debian.org Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 19 Dec 2019 16:09:05 GMT) (full text, mbox, link).

Severity set to 'serious' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 21 Dec 2019 21:45:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Magnus Holmgren <holmgren@debian.org>:
Bug#946829; Package sa-exim. (Sun, 22 Dec 2019 19:42:15 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Magnus Holmgren <holmgren@debian.org>. (Sun, 22 Dec 2019 19:42:15 GMT) (full text, mbox, link).

Message #38 received at 946829@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Henrik Krohns <hege@hege.li>, 946829@bugs.debian.org
Subject: CVE-2019-19920
Date: Sun, 22 Dec 2019 20:40:51 +0100
Control: clone 946829 -1
Control: retitle -1 sa-exim: CVE-2019-19920
Control: tags -1 + security

Hi,

On Thu, Dec 19, 2019 at 09:06:13AM +0200, Henrik Krohns wrote:
> 
> Hello,
> 
> This was really a vulnerability which allowed running any perl code or
> commands (even as root), for anyone able to write .cf files/rules.

MITRE has assigned CVE-2019-19920 for this issue itself. As your patch
adresses both the vulnerability and the compatibility I'm still just
for distinction, I'm cloning this bug accordingly (but patch can close
then both bugs).

https://marc.info/?l=spamassassin-users&m=157668107325768&w=2
https://marc.info/?l=spamassassin-users&m=157668305026635&w=2

Regards,
Salvatore

Bug 946829 cloned as bug 947198 Request was from Salvatore Bonaccorso <carnil@debian.org> to 946829-submit@bugs.debian.org. (Sun, 22 Dec 2019 19:42:15 GMT) (full text, mbox, link).

Changed Bug title to 'sa-exim: CVE-2019-19920' from 'sa-exim: After upgrade SA: GREYLIST_ISWHITE skipped, insecure dependencies'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 946829-submit@bugs.debian.org. (Sun, 22 Dec 2019 19:42:16 GMT) (full text, mbox, link).

Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to 946829-submit@bugs.debian.org. (Sun, 22 Dec 2019 19:42:17 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Dec 23 09:08:58 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started