Mailing List Archive

https://bugs.exim.org/show_bug.cgi?id=2587

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #1 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/f7f933a199be8bb7362c715e0040545b514cddca

commit f7f933a199be8bb7362c715e0040545b514cddca
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Tue Jun 2 14:50:31 2020 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Tue Jun 2 14:57:02 2020 +0100

Taint: fix pam expansion condition. Bug 2587
---
doc/doc-txt/ChangeLog | 5 +++++
src/src/auths/call_pam.c | 5 ++---
2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a4526ca..93bd62c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -10,6 +10,11 @@ JH/01 Bug 1329: Fix format of Maildir-format filenames to
match other mail-
related applications. Previously an "H" was used where available info
says that "M" should be, so change to match.

+JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
+ as arguments, so an implementation trying to copy these into local
+ buffer was taking a taint-enformance trap. Fix by using dynamically
+ created buffers.
+

Exim version 4.94
-----------------
diff --git a/src/src/auths/call_pam.c b/src/src/auths/call_pam.c
index 2959cbb..80bb23e 100644
--- a/src/src/auths/call_pam.c
+++ b/src/src/auths/call_pam.c
@@ -83,8 +83,7 @@ for (int i = 0; i < num_msg; i++)
{
case PAM_PROMPT_ECHO_ON:
case PAM_PROMPT_ECHO_OFF:
- arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
- if (!arg)
+ if (!(arg = string_nextinlist(&pam_args, &sep, NULL, 0)))
{
arg = US"";
pam_arg_ended = TRUE;
@@ -155,7 +154,7 @@ pam_arg_ended = FALSE;
fail. PAM doesn't support authentication with an empty user (it prompts for
it,
causing a potential mis-interpretation). */

-user = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
+user = string_nextinlist(&pam_args, &sep, NULL, 0);
if (user == NULL || user[0] == 0) return FAIL;

/* Start off PAM interaction */

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2587

Caleb Maclennan <caleb@alerque.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |caleb@alerque.com

--- Comment #2 from Caleb Maclennan <caleb@alerque.com> ---
For anybody else struggling with this: The bug only affects the PLAIN login
mechanism, LOGIN works okay. Not perfect because not all clients support LOGIN,
but you might get a few clients back online by disabling PLAIN entirely and
forcing clients to use LOGIN instead.

For the developers: This bug has completely ruined 4.94 for production use,
please release the fix for this as a patch release ASAP!

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2587

Leonhard Knauff <lk@mlucom21.urz.uni-halle.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |lk@mlucom21.urz.uni-halle.d
| |e

--- Comment #3 from Leonhard Knauff <lk@mlucom21.urz.uni-halle.de> ---

The same error occours at

AUTH/PLAIN with RADIUS:

Taint mismatch, string_nextinlist: auth_call_radius 99

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2587

--- Comment #4 from Jeremy Harris <jgh146exb@wizmail.org> ---
(In reply to Leonhard Knauff from comment #3)
> AUTH/PLAIN with RADIUS:

Is that a pam expansion condition, or via some other route?

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2587

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Assignee|unallocated@exim.org |jgh146exb@wizmail.org
Status|NEW |ASSIGNED

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2587

--- Comment #5 from Leonhard Knauff <lk@mlucom21.urz.uni-halle.de> ---
(In reply to Jeremy Harris from comment #4)
> (In reply to Leonhard Knauff from comment #3)
> > AUTH/PLAIN with RADIUS:
>
> Is that a pam expansion condition, or via some other route?

No Pam or other expansion.

My "exim.conf":

auth_plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if radius{$auth2:$auth3}{yes}{no} }
server_set_id = $auth2

Radius-Client: freeradius-client
Exim 4.92.3 works fine, Exim 4.93 not used

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2587

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##