Mailing List Archive: [Bug 2617] Taint mismatch in parse_fix_phrase

[Bug 2617] Taint mismatch in parse_fix_phrase

exim-dev at exim

Jul 9, 2020, 3:22 AM

Post #1 of 10 (942 views)

https://bugs.exim.org/show_bug.cgi?id=2617

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Assignee|unallocated@exim.org |jgh146exb@wizmail.org
Status|NEW |ASSIGNED

--- Comment #1 from Jeremy Harris <jgh146exb@wizmail.org> ---
Slightly awkward, since the problem buffer is passed in from the caller, and
it's called in seven places.

0 src/acl.c acl_check_condition 3202 submission_name =
string_copy(parse_fix_phrase(p+6, pp-p-6,
1 src/exim.c main 4772 originator_name =
string_copy(parse_fix_phrase(originator_name,
2 src/functions.h moan_tell_someone 369 extern const uschar
*parse_fix_phrase(const uschar *, int , uschar *, int );
3 src/parse.c parse_fix_phrase 989 parse_fix_phrase(const uschar
*phrase, int len, uschar *buffer, int buffer_size)
4 src/parse.c main 2118 printf("%s\n", CS
parse_fix_phrase(buffer, Ustrlen(buffer), outbuff,
5 src/rewrite.c rewrite_one 298 pf1 = parse_fix_phrase(new, p1 -
new, buff1, sizeof(buff1));
6 src/rewrite.c rewrite_one 300 pf2 = parse_fix_phrase(p2,
Ustrlen(p2), buff2, sizeof(buff2));

I'll go through the callers to see if I can discount any of them.

[. We trap an attempted copy of tainted data into untainted-use memory ]

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 3:42 AM

Post #2 of 10 (942 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
The pair of calls from rewrite look plausible; do you use rewrites?

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 3:56 AM

Post #3 of 10 (942 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #3 from David Carter <dpc22@cam.ac.uk> ---
The only rewrite rule in place on these machines is:

# Continue to support broken Hermes user configurations.
*@*.hermes.cam.ac.uk $1@hermes.cam.ac.uk hF

which is ancient history. It is plausible that a handful of messages might
trigger that each day.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 4:31 AM

Post #4 of 10 (942 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #4 from Jeremy Harris <jgh146exb@wizmail.org> ---
Created attachment 1322
--> https://bugs.exim.org/attachment.cgi?id=1322&action=edit
proposed fix

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 6:12 AM

Post #5 of 10 (942 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #5 from David Carter <dpc22@cam.ac.uk> ---
Hmm. I commented out the rewrite rule on one machine:

#*@*.hermes.cam.ac.uk $1@hermes.cam.ac.uk hF

and sent a HUP signal to the Exim listener:

2020-07-09 13:17:47 +0100 pid 120919: SIGHUP received: re-exec daemon

However I am still seeing errors:

2020-07-09 14:05:58 +0100 Taint mismatch, Ustrncpy: parse_fix_phrase 1153

so I don't think that the rewrite code is involved. Sorry.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 6:33 AM

Post #6 of 10 (941 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #6 from Jeremy Harris <jgh146exb@wizmail.org> ---
OK; the only other possibility I see involves commandline submission using
a -F option. This will be slightly more extensive recoding...

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 6:41 AM

Post #7 of 10 (941 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #7 from David Carter <dpc22@cam.ac.uk> ---
I don't think that I am using -F:

I had to go and look at spec.txt to find out what that was about.

The following:

git grep -- '-F'

doesn't find anything relevant in the Ansible playbook which provides all of
the configuration on these machines.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 9:34 AM

Post #8 of 10 (940 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #8 from Jeremy Harris <jgh146exb@wizmail.org> ---
I found one other, fairly abstruse possibility: a control=submission ACL
modifier,
with a name= option on it having an expansion that is tainted.

The coding (now under test) should fix all of these.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 10:01 AM

Post #9 of 10 (940 views)

https://bugs.exim.org/show_bug.cgi?id=2617

--- Comment #9 from David Carter <dpc22@cam.ac.uk> ---
Okay, we definitely use some of these, including:

# In dubious cases the Sender: header gets the user's @hermes address.

accept
control = submission/domain=hermes.cam.ac.uk/\
name=${lookup {$authenticated_id} \
cdb {USERS/hermes_names.cdb} }

so it looks like we are on the right track here, thanks.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 2617] Taint mismatch in parse_fix_phrase [ In reply to ]

exim-dev at exim

Jul 9, 2020, 10:27 AM

Post #10 of 10 (939 views)

https://bugs.exim.org/show_bug.cgi?id=2617

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #10 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/3c90bbcdc7cf73298156f7bcd5f5e750e7814e72

commit 3c90bbcdc7cf73298156f7bcd5f5e750e7814e72
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Thu Jul 9 15:30:55 2020 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Thu Jul 9 18:09:04 2020 +0100

fix taint trap in parse_fix_phrase(). bug 2617
----
doc/doc-txt/ChangeLog | 6 ++++
src/src/acl.c | 3 +-
src/src/exim.c | 3 +-
src/src/expand.c | 5 +--
src/src/functions.h | 4 +--
src/src/parse.c | 89 ++++++++++++++++++---------------------------------
src/src/rewrite.c | 9 ++----
src/src/sieve.c | 17 ++--------
test/stdout/0002 | 4 +--
9 files changed, 49 insertions(+), 91 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##