Exim official upgrade to 4.92.2 urgently needed

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Exim official upgrade to 4.92.2 urgently needed

Brian Inglis
Exim official upgrade to 4.92.2 urgently needed to include patch for published CVE:

https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/

https://exim.org/static/doc/security/CVE-2019-15846.txt

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
Reply | Threaded
Open this post in threaded view
|

Re: Exim upgrade to 4.92.3 needed for multiple CVEs

Brian Inglis
On 2019-09-20 11:10, Brian Inglis wrote:
> Exim official upgrade to 4.92.2 urgently needed to include patch for published CVE:
> https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/
> https://exim.org/static/doc/security/CVE-2019-15846.txt

https://access.redhat.com/security/security-updates/#/cve?q=exim&p=1&sort=cve_publicDate%20desc&rows=100&documentKind=Cve

Since the "current" 4.86 release in 2015-10, another CVE another upgrade required:

https://access.redhat.com/security/cve/cve-2019-16928
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability
than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in
string.c involving a long EHLO command.
http://exim.org/static/doc/security/CVE-2019-16928.txt

Also earlier this year:

https://access.redhat.com/security/cve/cve-2019-15846
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via
a trailing backslash.
https://exim.org/static/doc/security/CVE-2019-15846.txt

https://access.redhat.com/security/cve/cve-2019-13917
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in
some unusual configurations that use the ${sort} expansion for items that can be
controlled by an attacker (e.g., $local_part or $domain).
https://exim.org/static/doc/security/CVE-2019-13917.txt

https://access.redhat.com/security/cve/cve-2019-10149
A flaw was found in the way exim validated recipient addresses. A remote
attacker could use this flaw to execute arbitrary commands on the exim server
with the permissions of the user running the application.
https://exim.org/static/doc/security/CVE-2019-10149.txt

and last:

https://access.redhat.com/security/cve/cve-2018-6789
An issue was discovered in the base64d function in the SMTP listener in Exim
before 4.90.1. By sending a handcrafted message, a buffer overflow may happen.
This can be used to execute code remotely.
https://exim.org/static/doc/security/CVE-2018-6789.txt

and:

https://access.redhat.com/security/cve/cve-2017-16944
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
allows remote attackers to cause a denial of service (infinite loop and stack
exhaustion) via vectors involving BDAT commands and an improper check for a '.'
character signifying the end of the content, related to the bdat_getc function.

https://access.redhat.com/security/cve/cve-2017-16943
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
allows remote attackers to execute arbitrary code or cause a denial of service
(use-after-free) via vectors involving BDAT commands.
Mitigation
if you are running Exim 4.88 or newer, then in the main section of your Exim
configuration, set:
chunking_advertise_hosts =
This disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.

https://access.redhat.com/security/cve/cve-2017-1000369
Exim supports the use of multiple "-p" command line arguments which are
malloc()'ed and never free()'ed, used in conjunction with other issues allows
attackers to cause arbitrary code execution. This affects exim version 4.89 and
earlier. Please note that at this time upstream has released a patch, but it is
not known if a new point release is available that addresses this issue at this
time.
Statement
Exim itself is not vulnerable to privilege escalation, but this particular flaw
in exim can be used by the stackguard vulnerability
(https://access.redhat.com/security/vulnerabilities/stackguard) to achieve
privilege escalation.

https://access.redhat.com/security/cve/cve-2016-9963
It was found that Exim leaked DKIM signing private keys to the "mainlog" log
file. As a result, an attacker with access to system log files could potentially
access these leaked DKIM private keys.
http://exim.org/static/doc/security/CVE-2016-9963.txt

https://access.redhat.com/security/cve/cve-2016-1531
Exim before 4.86.2, when installed setuid root, allows local users to gain
privileges via the perl_startup argument.
http://exim.org/static/doc/security/CVE-2016-1531.txt

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
Reply | Threaded
Open this post in threaded view
|

Re: Exim upgrade to 4.92.3 needed for multiple CVEs

Achim Gratz
Brian Inglis writes:
[…]

I am looking at that package, but sadly it is in an advanced state of
bitrot.  The source package doesn't contain all the files that are
actually needed for the binary package.  Besides, exim itself uses one
of these homegrown build systems that has of course changed since the
last time exim was built for Cygwin.  I've got it to compile, but the
packaging is incomplete and requires quite a bit more work than I was
planning to spend.

I would suggest to drop the package unless Pierre provides an update
himself, but if anybody wants to adopt the package and fix things up
properly I'll be happy to let you have the incomplete cygport file and
patches.


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
Reply | Threaded
Open this post in threaded view
|

Re: Exim upgrade to 4.92.3 needed for multiple CVEs

Brian Inglis
On 2019-10-04 08:51, ASSI wrote:
> I am looking at that package, but sadly it is in an advanced state of
> bitrot.  The source package doesn't contain all the files that are
> actually needed for the binary package.  Besides, exim itself uses one
> of these homegrown build systems that has of course changed since the
> last time exim was built for Cygwin.  I've got it to compile, but the
> packaging is incomplete and requires quite a bit more work than I was
> planning to spend.

That was what I found and thought.
If you don't mind me asking, how much did you get to build, and what do you see
needing done?
If you got further than me, I might be willing to complete the packaging.

> I would suggest to drop the package unless Pierre provides an update
> himself, but if anybody wants to adopt the package and fix things up
> properly I'll be happy to let you have the incomplete cygport file and
> patches.

+1

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
Reply | Threaded
Open this post in threaded view
|

Re: Exim upgrade to 4.92.3 needed for multiple CVEs

Pierre A. Humblet-3
In reply to this post by Achim Gratz
On 10/4/2019 10:51 AM, ASSI wrote:

> Brian Inglis writes:
> […]
>
> I am looking at that package, but sadly it is in an advanced state of
> bitrot.  The source package doesn't contain all the files that are
> actually needed for the binary package.  Besides, exim itself uses one
> of these homegrown build systems that has of course changed since the
> last time exim was built for Cygwin.  I've got it to compile, but the
> packaging is incomplete and requires quite a bit more work than I was
> planning to spend.
>
> I would suggest to drop the package unless Pierre provides an update
> himself, but if anybody wants to adopt the package and fix things up
> properly I'll be happy to let you have the incomplete cygport file and
> patches.
>
>
> Regards,
> Achim.

I will take a look next week and release the latest version.

I would be happy to pass on this package to anyone interested, either as
is or after I prepare the latest.

Pierre

Reply | Threaded
Open this post in threaded view
|

Re: Exim upgrade to 4.92.3 needed for multiple CVEs

Achim Gratz
Pierre Humblet writes:
> I will take a look next week and release the latest version.
>
> I would be happy to pass on this package to anyone interested, either
> as is or after I prepare the latest.


I've attached what I managed to get to so far.  You are pulling in some
windows headers that define BOOL in a conflicting way to exim, so I
boldly went and changed that definition in exim.  I have no idea if
that's going to work, but it at least compiles.

As I said, the postinstall script is missing (I would need to pull it from the
latest binary archive I guess) and I'd need to arrange for the install to
actually use your exim.conf instead of the default one (some
doins/insinto invocation probably).  The install also didn't install the
manpage, so that needs fixing too.


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Waldorf MIDI Implementation & additional documentation:
http://Synth.Stromeko.net/Downloads.html#WaldorfDocs

exim-cygwin.tar.xz (55K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Exim upgrade to 4.92.3 needed for multiple CVEs

Achim Gratz
ASSI writes:
> I've attached what I managed to get to so far.

Sorry, that archive had a few patch files that are not used, attached
the pruned archive.


The pam-0.90 sources were formerly in a patch, but I've moved them to
SRC_URI, so you need to provide a tar file for that that expands into
pam/ with the current exim.cygport file.  Let me know if you have any
questions.


Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for KORG EX-800 and Poly-800MkII V0.9:
http://Synth.Stromeko.net/Downloads.html#KorgSDada

exim-cygwin.tar.xz (44K) Download Attachment