Mailing List Archive

https://bugs.exim.org/show_bug.cgi?id=2571

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Target Milestone|Exim 4.95+ |Exim 4.94

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #1 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/57aa14b216432be381b6295c312065b2fd034f86

commit 57aa14b216432be381b6295c312065b2fd034f86
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Tue May 5 21:02:14 2020 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Tue May 5 21:02:14 2020 +0100

fix spa authenticator, checking client-supplied data before using it. bug
2571
----
doc/doc-txt/ChangeLog | 5 ++
src/src/auths/auth-spa.c | 120 +++++++++++++++++++++++------------------------
src/src/auths/spa.c | 20 ++++++--
3 files changed, 82 insertions(+), 63 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

--- Comment #2 from Orange Tsai <orange@devco.re> ---
Hi! The patch just checks "pointer + offset" is smaller than the end of
`responseptr`. However, the check condition is prone to integer overflow. An
attacker can make a crash on 32-bit system.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

--- Comment #3 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0

commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Wed May 6 22:31:25 2020 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Wed May 6 22:31:25 2020 +0100

Rework SPA fix to avoid overflows. Bug 2571

Amends: 57aa14b216
---
src/src/auths/spa.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index f83d114..ff90d33 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -141,6 +141,7 @@ SPAAuthResponse response;
SPAAuthResponse *responseptr = &response;
uschar msgbuf[2048];
uschar *clearpass, *s;
+unsigned off;

/* send a 334, MS Exchange style, and grab the client's request,
unless we already have it via an initial response. */
@@ -187,10 +188,13 @@ that causes failure if the size of msgbuf is exceeded.
****/

{
int i;
- char * p = (CS responseptr) + IVAL(&responseptr->uUser.offset,0);
+ char * p;
int len = SVAL(&responseptr->uUser.len,0)/2;

- if (p + len*2 >= CS (responseptr+1))
+ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
+ || len >= sizeof(responseptr->buffer)/2
+ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
+ )
{
DEBUG(D_auth)
debug_printf("auth_spa_server(): bad uUser spec in response\n");
@@ -242,13 +246,14 @@ spa_smb_nt_encrypt(clearpass, challenge.challengeData,
ntRespData);

/* compare NT hash (LM may not be available) */

-s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
-if (s + 24 >= US (responseptr+1))
+off = IVAL(&responseptr->ntResponse.offset,0);
+if (off >= sizeof(SPAAuthResponse) - 24)
{
DEBUG(D_auth)
debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
return FAIL;
}
+s = (US responseptr) + off;

if (memcmp(ntRespData, s, 24) == 0)
return auth_check_serv_cond(ablock); /* success. we have a winner. */

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

--- Comment #4 from Andreas Metzler <eximusers@bebt.de> ---
Should this get a CVE?

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

On 07/05/2020 16:57, admin--- via Exim-dev wrote:
> https://bugs.exim.org/show_bug.cgi?id=2571
>
> --- Comment #4 from Andreas Metzler <eximusers@bebt.de> ---
> Should this get a CVE?

Possibly.

Pro: people who watch for CVEs get a heads-up they should pull in the
fix.

Con: because of the publication of the bug, there was no pre-annouce
notifying the issue and giving time for the major distros to
pick up the bug before the issue went public.

I'm not sure I have the energy.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

Salvatore Bonaccorso <carnil@debian.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |carnil@debian.org

--- Comment #5 from Salvatore Bonaccorso <carnil@debian.org> ---
Hi Andreas, I requested one from MITRE via the cveform.mitre.org (assuming this
was not done yet, but have added a comment that it might have been already
requested).

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

--- Comment #6 from Salvatore Bonaccorso <carnil@debian.org> ---
The CVE assigned by MITRE is CVE-2020-12783.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

Salvatore Bonaccorso <carnil@debian.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2020-12783

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

Renaud Allard <renaud@allard.it> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |renaud@allard.it

--- Comment #7 from Renaud Allard <renaud@allard.it> ---
Now that there is a CVE, I think it deserves a fixes release for distributions.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2571

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED

--- Comment #8 from Jeremy Harris <jgh146exb@wizmail.org> ---
Lacking further substansive comment on the fix, closing.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##