Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: freeze-exception Hello, I have uploaded exim4/4.72-4 to sid yesterday. There are two changes compared to squeeze: * A fix for a local security issue. (CVE-2011-0017: the Exim run-time user can cause root to append content of the attacker's choosing to arbitrary files.) * An update to the SPF example code. The Debian exim configuration contains code to check SPF data by invoking spfquery. The code is disabled by default but easily enabled through a macro. Due to the removal of libmail-spf-query-perl from sid and sqeeze the example code is broken (No message rejection, but non-working.) I have updated the respective ACL to use spf-tools-perl's spfquery instead. ------------------------------------------------- There is a further issues I would like to fix for squeeze: Debian bug #610611: If a non-debug daemon was invoked with a non-whitelisted macro, then logs from after attempting delivery would be silently lost, including for successful delivery. This log-loss bug was introduced in 4.73 as part of the security lockdown. http://git.exim.org/exim.git/commitdiff/b7487bcec431809cb7fc3c2b42fcd607e43d37e7 Please either unblock package exim4 or give me a go to upload 4.72-5 with the abovementioned additional fix. unblock exim4/4.72-4 thanks, cu andreas
diff -Nru exim4-4.72/debian/changelog exim4-4.72/debian/changelog --- exim4-4.72/debian/changelog 2010-12-26 15:13:21.000000000 +0100 +++ exim4-4.72/debian/changelog 2011-01-22 17:48:25.000000000 +0100 @@ -1,3 +1,15 @@ +exim4 (4.72-4) unstable; urgency=medium + + * In spf example use spf-tools-perl's spfquery instead of the one from + libmail-spf-query-perl. Do not try to use unimplemented best-guess + support. Update Suggests accordingly. Closes: #608336 + * 80_4.74_CVE-2011-0017.patch (Pulled from upstream git): Check return + values of setgid/setuid. This is a privilege escalation vulnerability + whereby the Exim run-time user can cause root to append content of the + attacker's choosing to arbitrary files. + + -- Andreas Metzler <ametzler@debian.org> Sat, 22 Jan 2011 17:48:19 +0100 + exim4 (4.72-3) unstable; urgency=low * [README.Debian*] Correct command for manual paniclog rotation. (Thanks, diff -Nru exim4-4.72/debian/control exim4-4.72/debian/control --- exim4-4.72/debian/control 2010-12-24 11:03:24.000000000 +0100 +++ exim4-4.72/debian/control 2010-12-31 18:38:28.000000000 +0100 @@ -19,7 +19,8 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, cron | fcron, exim4-config (>=4.30) | exim4-config-2, adduser, netbase, lsb-base (>= 3.0-6) # psmisc just for exiwhat. Recommends: psmisc, mailx, perl-modules -Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin | openssl, file, libmail-spf-query-perl (>= 1.999-1), swaks +Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, + gnutls-bin | openssl, file, spf-tools-perl, swaks Description: support files for all Exim MTA (v4) packages Exim (v4) is a mail transport agent. exim4-base provides the support files needed by all exim4 daemon packages. You need an additional package diff -Nru exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt --- exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2010-07-03 14:56:37.000000000 +0200 +++ exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2011-01-22 17:01:08.000000000 +0100 @@ -240,43 +240,45 @@ # # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not # enable if that's an issue. Also note that if you enable this, you must - # install "libmail-spf-query-perl" which provides the spfquery command. - # Missing libmail-spf-query-perl will trigger the "Unexpected error in + # install "spf-tools-perl" which provides the spfquery command. + # Missing spf-tools-perl will trigger the "Unexpected error in # SPF check" warning. .ifdef CHECK_RCPT_SPF deny - message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ - Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address + message = [SPF] $sender_host_address is not allowed to send mail from \ + ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ + Please see \ + http://www.openspf.org/Why?scope=${if def:sender_address_domain \ + {mfrom}{helo}};identity=${if def:sender_address_domain \ + {$sender_address}{$sender_helo_name}};ip=$sender_host_address log_message = SPF check failed. !acl = acl_local_deny_exceptions - condition = ${run{/usr/bin/spfquery.mail-spf-query-perl --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\ - {no}{${if eq {$runrc}{1}{yes}{no}}}} - + condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \ + \"$sender_host_address\" --identity \ + ${if def:sender_address_domain \ + {--scope mfrom --identity \"$sender_address\"}\ + {--scope helo --identity \"$sender_helo_name\"}}}\ + {no}{${if eq {$runrc}{1}{yes}{no}}}} defer message = Temporary DNS error while checking SPF record. Try again later. !acl = acl_local_deny_exceptions condition = ${if eq {$runrc}{5}{yes}{no}} warn - message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\ - {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}} condition = ${if <={$runrc}{6}{yes}{no}} + message = Received-SPF: ${if eq {$runrc}{0}{pass}\ + {${if eq {$runrc}{2}{softfail}\ + {${if eq {$runrc}{3}{neutral}\ + {${if eq {$runrc}{4}{permerror}\ + {${if eq {$runrc}{6}{none}{error}}}}}}}}}\ + } client-ip=$sender_host_address; \ + ${if def:sender_address_domain \ + {envelope-from=${sender_address}; }{}}\ + helo=$sender_helo_name warn log_message = Unexpected error in SPF check. condition = ${if >{$runrc}{6}{yes}{no}} - - # Support for best-guess (see http://www.openspf.org/developers-guide.html) - warn - message = X-SPF-Guess: ${run{/usr/bin/spfquery.mail-spf-query-perl --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\ - {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\ - {${if eq {$runrc}{6}{none}{error}}}}}}}}}} - condition = ${if <={$runrc}{6}{yes}{no}} - - defer - message = Temporary DNS error while checking SPF record. Try again later. - !acl = acl_local_deny_exceptions - condition = ${if eq {$runrc}{5}{yes}{no}} .endif diff -Nru exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch --- exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch 2011-01-21 19:34:47.000000000 +0100 @@ -0,0 +1,110 @@ +From 1670ef10063d7708eb736a482d1ad25b9c59521d Mon Sep 17 00:00:00 2001 +From: Phil Pennock <pdp@exim.org> +Date: Fri, 21 Jan 2011 03:56:02 -0500 +Subject: Check return values of setgid/setuid. + +CVE-2011-0017 + +One assertion of the unimportance of checking the return value was wrong, +in the event of a compromised exim run-time user. +--- +diff -NurBbp exim-4.72.orig/src/exim.c exim-4.72/src/exim.c +--- exim-4.72.orig/src/exim.c 2009-11-16 20:50:36.000000000 +0100 ++++ exim-4.72/src/exim.c 2011-01-21 19:28:00.000000000 +0100 +@@ -1309,7 +1309,7 @@ int arg_error_handling = error_handling + int filter_sfd = -1; + int filter_ufd = -1; + int group_count; +-int i; ++int i, rv; + int list_queue_option = 0; + int msg_action = 0; + int msg_action_arg = -1; +@@ -1628,8 +1628,20 @@ real_gid = getgid(); + + if (real_uid == root_uid) + { +- setgid(real_gid); +- setuid(real_uid); ++ rv = setgid(real_gid); ++ if (rv) ++ { ++ fprintf(stderr, "exim: setgid(%ld) failed: %s\n", ++ (long int)real_gid, strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ rv = setuid(real_uid); ++ if (rv) ++ { ++ fprintf(stderr, "exim: setuid(%ld) failed: %s\n", ++ (long int)real_uid, strerror(errno)); ++ exit(EXIT_FAILURE); ++ } + } + + /* If neither the original real uid nor the original euid was root, Exim is +@@ -3746,7 +3758,28 @@ if (!unprivileged && + + /* When we are retaining a privileged uid, we still change to the exim gid. */ + +-else setgid(exim_gid); ++else ++ { ++ int rv; ++ rv = setgid(exim_gid); ++ /* Impact of failure is that some stuff might end up with an incorrect group. ++ We track this for failures from root, since any attempt to change privilege ++ by root should succeed and failures should be examined. For non-root, ++ there's no security risk. For me, it's { exim -bV } on a just-built binary, ++ no need to complain then. */ ++ if (rv == -1) ++ { ++ if (!unprivileged) ++ { ++ fprintf(stderr, ++ "exim: changing group failed: %s\n", strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ else ++ debug_printf("changing group to %ld failed: %s\n", ++ (long int)exim_gid, strerror(errno)); ++ } ++ } + + /* Handle a request to list the delivery queue */ + +diff -NurBbp exim-4.72.orig/src/log.c exim-4.72/src/log.c +--- exim-4.72.orig/src/log.c 2009-11-16 20:50:37.000000000 +0100 ++++ exim-4.72/src/log.c 2011-01-21 19:28:00.000000000 +0100 +@@ -343,17 +343,26 @@ are neither exim nor root, creation is n + + else if (euid == root_uid) + { +- int status; ++ int status, rv; + pid_t pid = fork(); + + /* In the subprocess, change uid/gid and do the creation. Return 0 from the +- subprocess on success. There doesn't seem much point in testing for setgid +- and setuid errors. */ ++ subprocess on success. If we don't check for setuid failures, then the file ++ can be created as root, so vulnerabilities which cause setuid to fail mean ++ that the Exim user can use symlinks to cause a file to be opened/created as ++ root. We always open for append, so can't nuke existing content but it would ++ still be Rather Bad. */ + + if (pid == 0) + { +- (void)setgid(exim_gid); +- (void)setuid(exim_uid); ++ rv = setgid(exim_gid); ++ if (rv) ++ die(US"exim: setgid for log-file creation failed, aborting", ++ US"Unexpected log failure, please try later"); ++ rv = setuid(exim_uid); ++ if (rv) ++ die(US"exim: setuid for log-file creation failed, aborting", ++ US"Unexpected log failure, please try later"); + _exit((create_log(buffer) < 0)? 1 : 0); + } + diff -Nru exim4-4.72/debian/patches/series exim4-4.72/debian/patches/series --- exim4-4.72/debian/patches/series 2010-12-24 11:12:37.000000000 +0100 +++ exim4-4.72/debian/patches/series 2011-01-21 19:35:49.000000000 +0100 @@ -18,3 +18,4 @@ 80_4.73rc1_6_nonroot_system_filter_user.patch 80_4.73rc1_7_filter_D_option.patch 80_4.73rc1_8_updatedocumentation.patch +80_4.74_CVE-2011-0017.patch
Attachment:
signature.asc
Description: Digital signature