Mailing List Archive

4.96 and UUCP
Hi!

I'm using UUCP (over ssh) and updating exim to 4.96 caused some fun with
tainted variables. The uucp transport config includes

command = uux - -r $host!rmail ($local_part@$domain)

to send emails to a UUCP smarthost. As $local_part and $domain are now
tainted for pipe tranports I get errors like:

user@domain.tld R=uucp_smarthost T=uucp_pipe: Tainted arg 4 for uucp_pipe
transport command: 'user@domain.tld'

IIRC, the 'recommended' way to solve issues with tainted variables is to
perform a database lookup. In this case (routing via a UUCP smarthost) I
can't create a database with all possible recipients for obvious reasons.
Luckily I found a post
(https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/)
which shows a hack to deal with this situation. However, I would prefer a
recommended solution (if available) or suggest to add an option to allow
tainted variables in a specific transport configuration.

ciao
Markus
--
/ Markus Reschke \
\ madires@theca-tabellaria.de /


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: 4.96 and UUCP [ In reply to ]
On 28/06/2022 12:22, Markus Reschke via Exim-users wrote:
> IIRC, the 'recommended' way to solve issues with tainted variables is to perform a database lookup.

Actually, that is better phrased as "The requirement is to not use values provided
by potential attackers in sensitive situations" - and the common means of
not doing so is to obtain values from a trusted place, using (if needed) those
untrusted values as search keys.

Assuming there really is no way for you to use a pure SMTP environment
(i.e. dump UUCP), or somehow avoid using a pipe transport (I can't think
of a way offhand), any method here is going to be somewhat hacky. The
least-worst is probably to wrap your uux invocation in another program
(shell script, perl script, custom binary) which picks up the environment
variable $RECIPIENT.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: 4.96 and UUCP [ In reply to ]
• Jeremy Harris via Exim-users [2022-06-29 11:21]:
> On 28/06/2022 12:22, Markus Reschke via Exim-users wrote:
> > IIRC, the 'recommended' way to solve issues with tainted variables is to perform a database lookup.
>
> Actually, that is better phrased as "The requirement is to not use values provided
> by potential attackers in sensitive situations" - and the common means of
> not doing so is to obtain values from a trusted place, using (if needed) those
> untrusted values as search keys.
>
> Assuming there really is no way for you to use a pure SMTP environment
> (i.e. dump UUCP), or somehow avoid using a pipe transport (I can't think
> of a way offhand), any method here is going to be somewhat hacky. The
> least-worst is probably to wrap your uux invocation in another program
> (shell script, perl script, custom binary) which picks up the environment
> variable $RECIPIENT.

And here's an example of how such a wrapper could be done:

https://dovecot.org/pipermail/dovecot/2022-April/124589.html

It's CRITICAL that all arguments in the wrapper script are quoted!

> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
-- Kirill Miazine <km@krot.org>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/