Mailing List Archive: [Bug 3001] infoleak in SPA authenticator, client

https://bugs.exim.org/show_bug.cgi?id=3001

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |high
Assignee|unallocated@exim.org |jgh146exb@wizmail.org
CC| |exim-dev@lists.exim.org
Component|Unfiled |SMTP Authentication
Summary|(placeholder) |infoleak in SPA
| |authenticator, client

--- Comment #1 from Jeremy Harris <jgh146exb@wizmail.org> ---
ZDI-CAN-17433 (Trend Micro)

A crafted SPA challenge from the server can cause the client authenticator
to read OOB; the data is then returned to the server.

Fix: validate the offset contained in the challenge, to avoid reading
past the end of the challenge data structure.

Vulnerable since at least 4.50, probably longer.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/