lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050116132526.GA19182@torres.l21.ma.zugschlus.de>
From: mh+full-disclosure at zugschlus.de (Marc Haber)
Subject: iDEFENSE Security Advisory 01.14.05: Exim
	dns_buld_reverse() Buffer Overflow Vulnerability

Hi,

On Fri, Jan 14, 2005 at 12:41:05PM -0500, idlabs-advisories@...fense.com wrote:
> Exim dns_buld_reverse() Buffer Overflow Vulnerability 

That would have to be dns_build_reverse

> iDEFENSE Security Advisory 01.14.05
> www.idefense.com/application/poi/display?id=183&type=vulnerabilities

That web page is only viewable with JavaScript enabled, and is thus
unviewable with a browser configured to minimize the surfing risk. For
a security-related organization, I consider this poor design.

> /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

That one is syntactically invalid, and neither of the obvious fixes
does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
correctly complains that it is unable to parse the parameter as an
IPv6 address and exits with an exit code of 1. The same happens with a
locally built 4.41 without Debian patches.

> iDEFENSE has confirmed the existence of this vulnerability in Exim 
> versions 4.40 and 4.41. A source audit of version 4.42 suggests that it 
> is also vulnerable. It is suspected that earlier versions are also 
> vulnerable.

According to the upstream author's advisory, released ten days before
the date of the advisory I am replying to, 4.43 is vulnerable as well.

> V. WORKAROUND
> 
> iDEFENSE is currently unaware of any effective workarounds for this 
> vulnerability.

However, exim's author has released a patch addressing this
vulnerability ten days before the release of the advisory stating
there are no effective workarounds.

So you are basically saying that the patch from Philip Hazel is
uneffective?

> VI. VENDOR RESPONSE
> 
> A patch for Exim release 4.43 which addresses this vulnerability is
> available at:
> 
>    http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

Is that patch an effective workaround, or is it not?

> The patch will be incorporated into a future Exim release (4.50).

There is also an interim release 4.44 incorporating the patch:

http://www.exim.org/mail-archives/exim-announce/2005/msg00001.html

I find it also interesting that the release message references two
iDEFENSE notification messages which reference numbers have not been
included in the final advisory as released by iDEFENSE.

> > VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.

CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten
days before the date of the advisory stating that no CVE number has
been assigned.

> VIII. DISCLOSURE TIMELINE
> 
> 09/30/2004  Initial vendor notification
> 09/30/2004  Initial vendor response
  01/04/2005  Vendor releases a patch
  01/14/2005  Vendor releases interim release incorporating the patch
> 01/14/2005  Public disclosure

> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to remain anonymous.

I can fully understand that. The entire advisory seems to be _very_
sloppily prepared, or to have been unduly delayed and passed by
reality before it was finally released.

If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it
should not have been released in the first place. If it addresses a
new vulnerability, it should be more clear in that regard. And it
should include code that actually allows to reproduce the vulnerability.

Just for the record:
The following package versions of exim and exim4 in Debian/GNU Linux
fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022:

exim4     4.43-2         experimental
exim4     4.34-10        unstable, testing
exim      3.36-13        unstable, testing
exim      3.35-1woody4   stable
exim-tls  3.35-3woody3   stable

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ