Exim 4.82.1 - SECURITY release

unihostbrasil

unihostbrasil

Verified User
Joined
Nov 23, 2009
Messages
210
Location
São Paulo - Brazil
Exim 4.82.1 released

This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in Exim version 4.82 (only) when built with DMARC support (an
experimental feature, not on by default). This release is identical to
4.82 except for the small change needed to plug the security hole. The
next release of Exim will, eventually, be 4.83, which will include the
many improvements we've made since 4.82, but which will require the
normal release candidate baking process before release.

You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC.

This issue is known by the CVE ID of CVE-2014-2957, was reported
directly to the Exim development team by a company which uses Exim for
its mail server. An Exim developer constructed a small patch which
altered the way the contents of the From header is parsed by converting
it to use safer and better internal functions. It was applied and
tested on a production server for correctness. We were notified of the
vulnerability Friday night, created a patch on Saturday, applied and
tested it on Sunday, notified OS packagers on Monday/Tuesday, and are
releasing on the next available work day, which is Wednesday.

This is why we have made the smallest feasible changes to prevent
exploit: we want this chagne to be as safe as possible to expedite into
production (if the packages were built with DMARC).
Click to expand...
 
after ./build exim I get:

Code: 
<< compilation looks ok >>
Configuration file /etc/exim.conf already exists

Exim installation complete
Moving exim binary.
ls: cannot access /usr/sbin/exim-4.82.1-*: No such file or directory
mv: missing destination file operand after `/usr/sbin/exim'
Try `mv --help' for more information.
Exim 4.82.1 Installed.
Restarting exim.
Shutting down exim:
Starting exim:

after ./build versions I get same old version exim
 
An hour ago I sent a PM to smtalk to warn of this error, I guess that it will solved soon, this is what I sent:

Code: 
Exim installation complete
Moving exim binary.
ls: cannot access /usr/sbin/exim-4.82.1-*: No such file or directory
mv: missing destination file operand after `/usr/sbin/exim'
Try `mv --help' for more information.
Exim 4.82.1 Installed.

# exim --version
Exim version 4.82 #3 built 12-May-2014 14:59:22

# ls /usr/sbin/exim*
-rwsr-xr-x 1 root root 1095525 May 12 14:59 /usr/sbin/exim
-rwsr-xr-x 1 root root 1095492 May 29 00:12 /usr/sbin/exim-4.82_1-5b7a7c0-XX-3
I think the error is here in de dot:
exim-4.82.1-*
exim-4.82_1-

I have moved the correct binary and restarted exim:

Code: 
# mv /usr/sbin/exim-4.82_1-5b7a7c0-XX-3 /usr/sbin/exim
# service exim restart


# exim --version
Exim version 4.82_1-5b7a7c0-XX #3 built 29-May-2014 00:12:37

Code: 
# ./build versions

Latest version of Exim: 4.82.1
Installed version of Exim: 4.82_1-5b7a7c0-XX


Exim 4.82_1-5b7a7c0-XX to 4.82.1 update is available.
 
Hey,

I sent John/Mark an email earlier today regarding exactly what you are seeing... I actually replaced the binary with the one that was created and it appears to be working OK... time will tell.

In the email headers you do see "(Exim 4.82_1-5b7a7c0-XX)" which does seem odd... :^)

David
 
I think the exim developpers forgot to remove the coding version number value from the:
Code: 
src/version.sh
I've just re-packed the exim-4.82.1-tar.gz with the correct version.sh numbering on our files1 server.

Eg src/version.sh should look like:
Code: 
# automatically generated file - see ../scripts/reversion
EXIM_RELEASE_VERSION="4.82.1"
EXIM_VARIANT_VERSION=""
EXIM_COMPILE_NUMBER="1"
but it was:
Code: 
# automatically generated file - see ../scripts/reversion
EXIM_RELEASE_VERSION="4.82"
EXIM_VARIANT_VERSION="_1-5b7a7c0-XX"
EXIM_COMPILE_NUMBER="1"
so after downloading the re-packaged version, it should be ok.

Please allow 24 hours for rsync to all files mirrors.

John
 
Hello all

Is Exim on Direcxtadmin compiled with EXPERIMENTAL_DMARC bu default?
 
People using DKIM need to apply this patch:
Code: 
From 6eb02f881ddd9af83d697244ec35704c8dfbe9a8 Mon Sep 17 00:00:00 2001
From: Todd Lyons <[email protected]>
Date: Wed, 28 May 2014 08:48:45 -0700
Subject: [PATCH] Bug 1444: Fix \r\n handling writing spool file

Fix a bug which causes DKIM signatures to fail because what gets
  written to the spool file is different than what gets passed through
  the DKIM code.
---
 doc/doc-txt/ChangeLog | 3 +++
 src/src/receive.c     | 1 +
 2 files changed, 4 insertions(+)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index ee56623..a1ef019 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -123,6 +123,9 @@ TL/11 Bug 1119: fix memory allocation in string_printing2().  Patch from
 
 JH/24 The OCSP stapling feature is moved from Experimental into the mainline.
 
+TL/12 Bug 1444: Fix improper \r\n sequence handling when writing spool
+      file.  Patch from Wolfgang Breyha.
+
 
 Exim version 4.82
 -----------------
diff --git a/src/src/receive.c b/src/src/receive.c
index ea957c7..ac3f0cf 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -684,6 +684,7 @@ while ((ch = (receive_getc)()) != EOF)
 
     case 1:                         /* After written "\n" */
     if (ch == '.') { ch_state = 3; continue; }
+    if (ch == '\r') { ch_state = 2; continue; }
     if (ch != '\n') ch_state = 0; else linelength = -1;
     break;
 
-- 
1.9.3
https://github.com/Exim/exim/commit/6eb02f881ddd9af83d697244ec35704c8dfbe9a8.patch
 
Last edited:
Thanks for the report.
I've manually added the 1 line of code to the source, and repacked the exim-4.82.1.tar.gz file (on files1, allow 24 hours for other servers)
You will see a failed md5sum error with a ./build update, which will be normal as the tar.gz has changed.
Follow that by an exim recompile.

John
 
You must log in or register to reply here.
Back
Top