exim4: CVE-2017-16943: use-after-free vulnerability while reading mail header

Debian Bug report logs - #882648
exim4: CVE-2017-16943: use-after-free vulnerability while reading mail header

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: submit@bugs.debian.org

Subject: exim4: remote code execution in chunking

Date: Sat, 25 Nov 2017 09:25:43 +0000

Package: exim4
Version: 4.89-9
Severity: grave
Tags: security
Justification: remote code execution

Source: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html

----- Forwarded message from Phil Pennock <pdp@exim.org> -----

Date: Fri, 24 Nov 2017 22:48:42 -0500
From: Phil Pennock <pdp@exim.org>
To: exim-announce@exim.org
Subject: [exim-announce] Critical Exim Security Vulnerability: disable chunking
Reply-To: exim-announce-owner@exim.org

Folks,

A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.

With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:

  chunking_advertise_hosts =

That's an empty value, nothing on the right of the equals.  This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.

This should be a complete workaround.  Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.

We've requested CVEs.  More news will be forthcoming as we get this
worked out.

-Phil



-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##


----- End forwarded message -----

Message #16 received at 882648@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Dominic Hargreaves <dom@earth.li>, 882648@bugs.debian.org

Subject: Re: Bug#882648: exim4: remote code execution in chunking

Date: Sat, 25 Nov 2017 11:34:56 +0100

On 2017-11-25 Dominic Hargreaves <dom@earth.li> wrote:
> Package: exim4
> Version: 4.89-9
> Severity: grave
> Tags: security
> Justification: remote code execution

> ----- Forwarded message from Phil Pennock <pdp@exim.org> -----
[...]
> With immediate effect, please apply this workaround: if you are running
> Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
> section of your Exim configuration, set:

>   chunking_advertise_hosts =
[...]
> ----- End forwarded message -----

Hello,

please note that Debian/stable is patched to set 
 chunking_advertise_hosts =
by default. Therefore stable users should not be affected unless they
have locally set chunking_advertise_hosts to a nonempty value.

Also there seem to be two separate issues
https://bugs.exim.org/show_bug.cgi?id=2199
and
https://bugs.exim.org/show_bug.cgi?id=2201

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #21 received at 882648@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Andreas Metzler <ametzler@bebt.de>, 882648@bugs.debian.org

Cc: Dominic Hargreaves <dom@earth.li>

Subject: Re: Bug#882648: exim4: remote code execution in chunking

Date: Sat, 25 Nov 2017 11:41:24 +0100

Hi,

[just some additional comments]

On Sat, Nov 25, 2017 at 11:34:56AM +0100, Andreas Metzler wrote:
> On 2017-11-25 Dominic Hargreaves <dom@earth.li> wrote:
> > Package: exim4
> > Version: 4.89-9
> > Severity: grave
> > Tags: security
> > Justification: remote code execution
> 
> > ----- Forwarded message from Phil Pennock <pdp@exim.org> -----
> [...]
> > With immediate effect, please apply this workaround: if you are running
> > Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
> > section of your Exim configuration, set:
> 
> >   chunking_advertise_hosts =
> [...]
> > ----- End forwarded message -----
> 
> Hello,
> 
> please note that Debian/stable is patched to set 
>  chunking_advertise_hosts =
> by default. Therefore stable users should not be affected unless they
> have locally set chunking_advertise_hosts to a nonempty value.

Ack, let's leave the severity though to grave due to the immediate
issue for unstable/experimental version.

> Also there seem to be two separate issues
> https://bugs.exim.org/show_bug.cgi?id=2199
> and
> https://bugs.exim.org/show_bug.cgi?id=2201

yes. I have explicitly associated #882648 with
https://bugs.exim.org/show_bug.cgi?id=2199 and then
https://bugs.exim.org/show_bug.cgi?id=2201 separately in the
security-tracker, cf. https://security-tracker.debian.org/exim4
(will update it once CVEs assigned).

Regards,
Salvatore

Message #26 received at 882648@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 882648@bugs.debian.org

Cc: Dominic Hargreaves <dom@earth.li>

Subject: Re: Bug#882648: exim4: remote code execution in chunking

Date: Sat, 25 Nov 2017 12:06:20 +0100

On 2017-11-25 Salvatore Bonaccorso <carnil@debian.org> wrote:
> On Sat, Nov 25, 2017 at 11:34:56AM +0100, Andreas Metzler wrote:
[...]
>> please note that Debian/stable is patched to set 
>>  chunking_advertise_hosts =
>> by default. Therefore stable users should not be affected unless they
>> have locally set chunking_advertise_hosts to a nonempty value.

> Ack, let's leave the severity though to grave due to the immediate
> issue for unstable/experimental version.
[...]

Agreed. As a workaround I have just uploaded -10 to unstable with
urgency=critical, re-introducing the patch present in Debian/stable.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #35 received at 882648-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 882648-close@bugs.debian.org

Subject: Bug#882648: fixed in exim4 4.89-12

Date: Tue, 28 Nov 2017 19:19:00 +0000

Source: exim4
Source-Version: 4.89-12

We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated exim4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Nov 2017 20:04:23 +0100
Source: exim4
Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy eximon4 exim4-dev
Architecture: source
Version: 4.89-12
Distribution: unstable
Urgency: high
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 882648
Description: 
 exim4-base - support files for all Exim MTA (v4) packages
 exim4-config - configuration for the Exim MTA (v4)
 exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac
 exim4-daemon-light - lightweight Exim MTA (v4) daemon
 exim4-dev  - header files for the Exim MTA (v4) packages
 exim4      - metapackage to ease Exim MTA (v4) installation
 eximon4    - monitor application for the Exim MTA (v4) (X11 interface)
Changes:
 exim4 (4.89-12) unstable; urgency=high
 .
   * Sync with exim-4_89+fixes branch:
     + 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch
     + 75_fixes_20-Avoid-release-of-store-if-there-have-been-later-allo.patch
       Closes: #882648 (use-after-free, remote-code-execution) CVE-2017-16943
   * Update EDITME* for 75_fixes_19-Fix-mariadb-mysql-macro-confusion.patch.
Checksums-Sha1: 
 28e25489f1900615418390397fbf0cb00cb70cca 2837 exim4_4.89-12.dsc
 45f156d5009f5492025d9d17fdb370af45974b03 472392 exim4_4.89-12.debian.tar.xz
Checksums-Sha256: 
 c662c771675c96a19d026fbdc4f3be792059207de62422e48fdfd504c9cf0ce0 2837 exim4_4.89-12.dsc
 ee2efc681a80d9aef0f22a4a61a4c607f9c7c0b6b33b83b9f202cf71b6af3856 472392 exim4_4.89-12.debian.tar.xz
Files: 
 9000d3ef1241d4accb0bc441608b849a 2837 mail standard exim4_4.89-12.dsc
 39d06f816bfd44d419967f6eca6d8087 472392 mail standard exim4_4.89-12.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlods+sACgkQpU8BhUOC
FIQOGxAAjNXbyaoi3pUo1n6ci2H2/X6ynOODhBPxjRts/EzEftBBox0B7HkKFyRX
+ZkwW8wYHoOJUoUT6h4HcfDsIi8/1HlK59PsBPiN+hPyExEvZ75qP/S1SQD/i5br
3jq62VIxu+BoRBxCRa52BQfnQEkqyn0MtDDl2m5AZzdOXuht2cMUEk2GA5jLxK6C
R+Ay7HkTF05d5JJWbdTZeEXEVIYJXyLjk/t/1NDwLIzB3bu4vMHVkw/TM0yNF/80
OVUPTPiPbaz6XY/GRwjfMSH5NN6Ik93TnFRqhwW9VytWce1eb+6pdpoJR+xat/5a
zzwNlYbebifmUlG6qjsA01nDyEfrA0m9fl2Ab//GHIk6rONTIKKwF9299ybyHLcX
eAKpjqkT9MPJMjDtr5hTMMPoR8L6HkK8IL/NZXDx57Cbissz1FbtugZYW9cvzs8H
Cmo/02+f11oQmmlzyJM2ZAQmPdZBsUztWQsjGEopmcNTmVCiX0HxoPuFrY4PoxeX
GR9ZNfljpeRuzOi9Y4KPTO5JqZOcbyYWszTDiHTAXe9XeeQ96MBJOwFVNUVxMowZ
up/VN7ePLcogS8TmaIFiQXtgYhYLAb6+McoCzwyovsaPGHpvTqbuE+GiAU8W8Gar
9XKfkSjIQM3qYmPbYIVM6snhki31GPiFOdC9VHW9Btzq4peHhGU=
=YgXN
-----END PGP SIGNATURE-----

Message #40 received at 882648-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 882648-close@bugs.debian.org

Subject: Bug#882648: fixed in exim4 4.90~RC3-1

Date: Fri, 01 Dec 2017 18:33:50 +0000

Source: exim4
Source-Version: 4.90~RC3-1

We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated exim4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Dec 2017 19:14:08 +0100
Source: exim4
Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy eximon4 exim4-dev
Architecture: source
Version: 4.90~RC3-1
Distribution: experimental
Urgency: medium
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 882648 882671
Description: 
 exim4-base - support files for all Exim MTA (v4) packages
 exim4-config - configuration for the Exim MTA (v4)
 exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac
 exim4-daemon-light - lightweight Exim MTA (v4) daemon
 exim4-dev  - header files for the Exim MTA (v4) packages
 exim4      - metapackage to ease Exim MTA (v4) installation
 eximon4    - monitor application for the Exim MTA (v4) (X11 interface)
Changes:
 exim4 (4.90~RC3-1) experimental; urgency=medium
 .
   * New upstream version.
     + Fix a use-after-free while reading smtp input for header lines.
       A crafted sequence of BDAT commands could result in in-use memory
       being freed.  CVE-2017-16943. Closes: #882648
     + Fix checking for leading-dot on a line during headers reading
       from SMTP input.  Previously it was always done; now only done for
       DATA and not BDAT commands.  CVE-2017-16944 Closes: #882671
   * Drop 78_Disable-chunking-BDAT-by-default.patch again.
Checksums-Sha1: 
 680ae709d49dd5ac685fc0f3c973b41114e04530 2873 exim4_4.90~RC3-1.dsc
 494411dda22e8e3c1b40c33b1f4a769465242413 1714872 exim4_4.90~RC3.orig.tar.xz
 e088699320ded2ec4f0e1d50501eb71e85ee0956 455 exim4_4.90~RC3.orig.tar.xz.asc
 26cf3ddb1b110d56530d420d971646b02e9fa605 447176 exim4_4.90~RC3-1.debian.tar.xz
Checksums-Sha256: 
 f9f0857b5ce76d888085448e060fbceee41685fd3014fbf7f78214b39b4d7b38 2873 exim4_4.90~RC3-1.dsc
 cf3066564b1ddff84beb2f25d3c86d6e04c0d5800e6e4b8bff7997fcf5f00d37 1714872 exim4_4.90~RC3.orig.tar.xz
 c946c925b6bd304f132a4692d7b5a38de0e0ff091bc06d70d9b9ee21759b0819 455 exim4_4.90~RC3.orig.tar.xz.asc
 d9666555628707c4f0b6bb21587064aece1a33beeb1ebf1cca97365b2482b812 447176 exim4_4.90~RC3-1.debian.tar.xz
Files: 
 4e0187178dee1909fe90c5b50fb04ffd 2873 mail standard exim4_4.90~RC3-1.dsc
 aa2faa39328bcf12c87c59cac711873c 1714872 mail standard exim4_4.90~RC3.orig.tar.xz
 c8bb028dba04df83920530c713aa77ad 455 mail standard exim4_4.90~RC3.orig.tar.xz.asc
 b89f8fed22d29fbec23d5c2c96bc065b 447176 mail standard exim4_4.90~RC3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlohncQACgkQpU8BhUOC
FISuCQ/+PboMoF5sXibXpVrF2oMSZreoJZ/+VeFoiA3mxn/OssXNEqfDhh4TI6/9
a0ykdVF9ThDBFmXaPB232b1J5symQQV1YJBXcgFF4PMaLySyNtakqG6GG0WdJssK
DDNqAyYhzboi9NCrRYUp5xVbfMlBIjwuO/TtA/DSKwJEwNGwVDrEUImO5On2P7ZX
qx4kVYyQY0vBTIQAe5FNU16et9W80aOyKPcv4GjYBLuIqWftcnAXljF2udTzWqI5
rXr280LwLjt+XwFRtoVOfmkdqWYmJxGnu76UV3URGcplg3MhKK6lFVEvkWzI2U61
M5j8tJ08aFRzfGAXnk3G8Ke5YltFuZ8HhQLdLjrhmECsXzrSr5U5A2BB2b6GJXuE
veIBwsSIsejl6DdwvFQsN1hKLvBEHTOxwrycxoNPH8waRxlsFGiZF67byfyAty9r
Qz7xMhph+XVWa6EWKb8CBgRYEN/7MHKZDQ4FYrXOBXn0C0Eh/yHjOrZMgGbzjDhi
FiJx7pZcdcFnsRbvOjE++7/U5mKuHRRHss3qee3587MniU6GgFtbS7Qp3T1C3K5x
hFE+mV1F95TE8DZfx5oUYSu/XW7i1NfvD7ybLIfsjasxtlIoCfLKnFipMbyNUewW
t5jf4isB/ulqnDKBvI6dqL4eBUjgEWphwEVI2XKjo/y1B8iAYiA=
=zHLn
-----END PGP SIGNATURE-----

Message #45 received at 882648-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 882648-close@bugs.debian.org

Subject: Bug#882648: fixed in exim4 4.89-2+deb9u2

Date: Sat, 02 Dec 2017 19:32:22 +0000

Source: exim4
Source-Version: 4.89-2+deb9u2

We believe that the bug you reported is fixed in the latest version of
exim4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882648@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated exim4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Nov 2017 22:58:00 +0100
Source: exim4
Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy eximon4 exim4-dbg exim4-daemon-light-dbg exim4-daemon-heavy-dbg exim4-dev
Architecture: source
Version: 4.89-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 882648 882671
Description: 
 exim4      - metapackage to ease Exim MTA (v4) installation
 exim4-base - support files for all Exim MTA (v4) packages
 exim4-config - configuration for the Exim MTA (v4)
 exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac
 exim4-daemon-heavy-dbg - debugging symbols for the Exim MTA "heavy" daemon
 exim4-daemon-light - lightweight Exim MTA (v4) daemon
 exim4-daemon-light-dbg - debugging symbols for the Exim MTA "light" daemon
 exim4-dbg  - debugging symbols for the Exim MTA (utilities)
 exim4-dev  - header files for the Exim MTA (v4) packages
 eximon4    - monitor application for the Exim MTA (v4) (X11 interface)
Changes:
 exim4 (4.89-2+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Avoid release of store if there have been later allocations
     (CVE-2017-16943) (Closes: #882648)
   * Chunking: do not treat the first lonely dot special (CVE-2017-16944)
     (Closes: #882671)
Checksums-Sha1: 
 204634dbf28f510e00fb56926801fd81b64317c1 2973 exim4_4.89-2+deb9u2.dsc
 a2acd71e491f5f7329bad6ed99a9f19af2b8195f 449560 exim4_4.89-2+deb9u2.debian.tar.xz
Checksums-Sha256: 
 2b6bcf331020f22936fb5f77f874b6a4b8bb972a69662be75b9ce0e5a9b004b6 2973 exim4_4.89-2+deb9u2.dsc
 4807209496800f2ff4e1106ba96b8d4ea62915c018ec449eb02f909023d351c1 449560 exim4_4.89-2+deb9u2.debian.tar.xz
Files: 
 6cfac34055291c55d36d46301fadc259 2973 mail standard exim4_4.89-2+deb9u2.dsc
 c66cd7c11e08e0cd22899110ed62eb94 449560 mail standard exim4_4.89-2+deb9u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlod3VdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOaEP/0BMk1ORcxvy1GdzcnEkTpeVqmlEzFRu
4+3LP295RquXN8EfstrSeK9++gO+BEVR7RyO9ATBWrLpYs7+ltJPDkF8lccCZpHu
FFj9yLgpG0n8trCuZXvzeNiMI5v80OSOkAz+EBhufG9LytPweapUVO/NtgOF8T+8
lJx0OqBwciVNQnV5ZftSGWG3L4GRkziLASEf1h4dLILjCgWvNfWyA+dIJWHjKLgS
EYtJ8UwwpUnofhcDhLfT3rReGoVZ7o0xr60QkDIRQtJ8F/ZC+FQVjisQ19mBlUvm
XpxwPJz3Rr5dIaJZrlV0wk5F41Mwvan8sCaysmBnf6OxB6UvlK3dXvSv3pZ57vw6
TJogs/9XGbn7pex0/ET7AmmAIIT01XkakaVuJ1usLb4u7OyoK7qgik/+fvgFnUlC
yEvv8IDQPWiAXFF/qITMXgAwrHk+033/V/JTN2FnDrnzf+HpXnT0n6xP4jOl7l23
vg0MDmQPPlkRccN3ZOqWAt4UnM2xhVaaYacL0P6KMr7Egxw4QBwbY38pfPajDh4e
Zp6mnYLVcnJ17O2NWIAU92nnRIHoRrvPdnOxiBGcIYeLXHePfFIWlc7k3Xe5t4JC
vX5jqmllHAPTLldNL8xLA0H++r5BKIrUDg+GIgv4+l3u7YHcXnE4yIfQEvD/qTnT
9k4+pghzboqr
=G9Rh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.