https://bugs.exim.org/show_bug.cgi?id=2526
Bug ID: 2526
Summary: Buffer overrun or unterminated NTS in
dkim_exim_verify_log_sig (sig->identity)
Product: Exim
Version: 4.89
Hardware: x86
OS: All
Status: NEW
Severity: security
Priority: medium
Component: DKIM
Assignee: tom@duncanthrax.net
Reporter: serg.brester@sebres.de
CC: exim-dev@exim.org
# exim --version
Exim version 4.89 #1 built 03-Sep-2019 18:01:38
# lsb_release -d
Description: Debian GNU/Linux 9.12 (stretch)
Log-excerpt (special chars are replaced):
2020-02-12 01:47:19 1j1gBT-0001BQ-LE DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x93\xd4\x0c\x84\xbd\x0f\xd2_o=\x19\xb2 [verification
succeeded]
2020-02-13 01:52:38 1j22kA-0002xV-7g DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com-\xbe\xaaN\xba_\x06y\xb8\xebS\x01 [verification
succeeded]
2020-02-14 01:52:56 1j2PE0-0004fp-Ov DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024 i=@testagent.example.com\xd3\x957J\xbf?
\x8c\xb5R\xe7\x12 [verification succeeded]
2020-02-16 01:50:28 1j388i-0007wX-Nz DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x99\xbcr\x0c\xe9\xcc\x12\x81\xa6\x1b\x90\xe6
[verification succeeded]
2020-02-17 02:32:07 1j3VGZ-00019x-0W DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x9dF\xado\xcdi.]$\xa8\xf4\xee [verification
succeeded]
It looks like "sig->identity" could have a BO or is not properly terminated (or
has a wrong length) at least if it gets logged, see:
https://github.com/Exim/exim/blob/1d717e1c110562fd6bf28478c79f180cafeba776/src/src/dkim.c#L206
Anyway the string "suffix" after identity (e. g.
"\x93\xd4\x0c\x84\xbd\x0f\xd2_o=\x19\xb2") does not look well to me.
I see that sporadically in exim-log for different e-mail addresses (my IDS
system notices occasionally that the encoding of log-file is not well-formed
UTF-8).
Unfortunately the mails are already removed, but if I'd get it again, I'll
provide the header of mail that caused it.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Bug ID: 2526
Summary: Buffer overrun or unterminated NTS in
dkim_exim_verify_log_sig (sig->identity)
Product: Exim
Version: 4.89
Hardware: x86
OS: All
Status: NEW
Severity: security
Priority: medium
Component: DKIM
Assignee: tom@duncanthrax.net
Reporter: serg.brester@sebres.de
CC: exim-dev@exim.org
# exim --version
Exim version 4.89 #1 built 03-Sep-2019 18:01:38
# lsb_release -d
Description: Debian GNU/Linux 9.12 (stretch)
Log-excerpt (special chars are replaced):
2020-02-12 01:47:19 1j1gBT-0001BQ-LE DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x93\xd4\x0c\x84\xbd\x0f\xd2_o=\x19\xb2 [verification
succeeded]
2020-02-13 01:52:38 1j22kA-0002xV-7g DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com-\xbe\xaaN\xba_\x06y\xb8\xebS\x01 [verification
succeeded]
2020-02-14 01:52:56 1j2PE0-0004fp-Ov DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024 i=@testagent.example.com\xd3\x957J\xbf?
\x8c\xb5R\xe7\x12 [verification succeeded]
2020-02-16 01:50:28 1j388i-0007wX-Nz DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x99\xbcr\x0c\xe9\xcc\x12\x81\xa6\x1b\x90\xe6
[verification succeeded]
2020-02-17 02:32:07 1j3VGZ-00019x-0W DKIM: d=testagent.example.com s=sim
c=relaxed/relaxed a=rsa-sha256 b=1024
i=@testagent.example.com\x9dF\xado\xcdi.]$\xa8\xf4\xee [verification
succeeded]
It looks like "sig->identity" could have a BO or is not properly terminated (or
has a wrong length) at least if it gets logged, see:
https://github.com/Exim/exim/blob/1d717e1c110562fd6bf28478c79f180cafeba776/src/src/dkim.c#L206
Anyway the string "suffix" after identity (e. g.
"\x93\xd4\x0c\x84\xbd\x0f\xd2_o=\x19\xb2") does not look well to me.
I see that sporadically in exim-log for different e-mail addresses (my IDS
system notices occasionally that the encoding of log-file is not well-formed
UTF-8).
Unfortunately the mails are already removed, but if I'd get it again, I'll
provide the header of mail that caused it.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##