package/exim: add upstream security fix for CVE-2019-10149
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in src/deliver.c may lead to remote command execution. For more details, see the advisory: https://www.exim.org/static/doc/security/CVE-2019-10149.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Peter Korsgaard
parent
1272878fd0
commit
83967ef53d
51
package/exim/0007-Fix-CVE-2019-10149.patch
Normal file
51
package/exim/0007-Fix-CVE-2019-10149.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
From d740d2111f189760593a303124ff6b9b1f83453d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeremy Harris <jgh146exb@wizmail.org>
|
||||||
|
Date: Mon, 27 May 2019 21:57:31 +0100
|
||||||
|
Subject: [PATCH] Fix CVE-2019-10149
|
||||||
|
|
||||||
|
[Peter: drop documentation update, fix path]
|
||||||
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
||||||
|
---
|
||||||
|
src/deliver.c | 22 ++++++++++++++--------
|
||||||
|
1 files changed, 52 insertions(+), 8 deletions(-)
|
||||||
|
create mode 100644 doc/doc-txt/cve-2019-10149
|
||||||
|
|
||||||
|
diff --git a/src/deliver.c b/src/deliver.c
|
||||||
|
index 59256ac2..45cc0723 100644
|
||||||
|
--- a/src/deliver.c
|
||||||
|
+++ b/src/deliver.c
|
||||||
|
@@ -6227,17 +6227,23 @@ if (process_recipients != RECIP_IGNORE)
|
||||||
|
{
|
||||||
|
uschar * save_local = deliver_localpart;
|
||||||
|
const uschar * save_domain = deliver_domain;
|
||||||
|
+ uschar * addr = new->address, * errmsg = NULL;
|
||||||
|
+ int start, end, dom;
|
||||||
|
|
||||||
|
- deliver_localpart = expand_string(
|
||||||
|
- string_sprintf("${local_part:%s}", new->address));
|
||||||
|
- deliver_domain = expand_string(
|
||||||
|
- string_sprintf("${domain:%s}", new->address));
|
||||||
|
+ if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
|
||||||
|
+ log_write(0, LOG_MAIN|LOG_PANIC,
|
||||||
|
+ "failed to parse address '%.100s': %s\n", addr, errmsg);
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ deliver_localpart =
|
||||||
|
+ string_copyn(addr+start, dom ? (dom-1) - start : end - start);
|
||||||
|
+ deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
|
||||||
|
|
||||||
|
- (void) event_raise(event_action,
|
||||||
|
- US"msg:fail:internal", new->message);
|
||||||
|
+ event_raise(event_action, US"msg:fail:internal", new->message);
|
||||||
|
|
||||||
|
- deliver_localpart = save_local;
|
||||||
|
- deliver_domain = save_domain;
|
||||||
|
+ deliver_localpart = save_local;
|
||||||
|
+ deliver_domain = save_domain;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user