Bug#610879: unblock: exim4/4.72-4

[Andreas Metzler <ametzler@downhill.at.eu.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception

Hello,

I have uploaded exim4/4.72-4 to sid yesterday. There are two changes
compared to squeeze:

* A fix for a local security issue. (CVE-2011-0017: the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.)

* An update to the SPF example code. The Debian exim configuration contains
code to check SPF data by invoking spfquery. The code is disabled by
default but easily enabled through a macro. Due to the removal of
libmail-spf-query-perl from sid and sqeeze the example code is broken
(No message rejection, but non-working.) I have updated the respective
ACL to use spf-tools-perl's spfquery instead.

-------------------------------------------------

There is a further issues I would like to fix for squeeze:

Debian bug #610611: If a non-debug daemon was invoked with a
non-whitelisted macro, then logs from after attempting delivery would
be silently lost, including for successful delivery.  This log-loss
bug was introduced in 4.73 as part of the security lockdown.
http://git.exim.org/exim.git/commitdiff/b7487bcec431809cb7fc3c2b42fcd607e43d37e7

Please either unblock package exim4 or give me a go to upload 4.72-5
with the abovementioned additional fix.

unblock exim4/4.72-4

thanks, cu andreas

diff -Nru exim4-4.72/debian/changelog exim4-4.72/debian/changelog
--- exim4-4.72/debian/changelog	2010-12-26 15:13:21.000000000 +0100
+++ exim4-4.72/debian/changelog	2011-01-22 17:48:25.000000000 +0100
@@ -1,3 +1,15 @@
+exim4 (4.72-4) unstable; urgency=medium
+
+  * In spf example use spf-tools-perl's spfquery instead of the one from
+    libmail-spf-query-perl. Do not try to use unimplemented best-guess
+    support. Update Suggests accordingly. Closes: #608336
+  * 80_4.74_CVE-2011-0017.patch (Pulled from upstream git): Check return
+    values of setgid/setuid. This is a privilege escalation vulnerability
+    whereby the Exim run-time user can cause root to append content of the
+    attacker's choosing to arbitrary files.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 22 Jan 2011 17:48:19 +0100
+
 exim4 (4.72-3) unstable; urgency=low
 
   * [README.Debian*] Correct command for manual paniclog rotation. (Thanks,
diff -Nru exim4-4.72/debian/control exim4-4.72/debian/control
--- exim4-4.72/debian/control	2010-12-24 11:03:24.000000000 +0100
+++ exim4-4.72/debian/control	2010-12-31 18:38:28.000000000 +0100
@@ -19,7 +19,8 @@
 Depends: ${shlibs:Depends}, ${misc:Depends}, cron | fcron, exim4-config (>=4.30) | exim4-config-2, adduser, netbase, lsb-base (>= 3.0-6)
 # psmisc just for exiwhat.
 Recommends: psmisc, mailx, perl-modules
-Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin | openssl, file, libmail-spf-query-perl (>= 1.999-1), swaks
+Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, 
+ gnutls-bin | openssl, file, spf-tools-perl, swaks
 Description: support files for all Exim MTA (v4) packages
  Exim (v4) is a mail transport agent. exim4-base provides the support
  files needed by all exim4 daemon packages. You need an additional package
diff -Nru exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
--- exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2010-07-03 14:56:37.000000000 +0200
+++ exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2011-01-22 17:01:08.000000000 +0100
@@ -240,43 +240,45 @@
   #
   # This is quite costly in terms of DNS lookups (~6 lookups per mail).  Do not
   # enable if that's an issue.  Also note that if you enable this, you must
-  # install "libmail-spf-query-perl" which provides the spfquery command.
-  # Missing libmail-spf-query-perl will trigger the "Unexpected error in
+  # install "spf-tools-perl" which provides the spfquery command.
+  # Missing spf-tools-perl will trigger the "Unexpected error in
   # SPF check" warning.
   .ifdef CHECK_RCPT_SPF
   deny
-    message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
-              Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address
+    message = [SPF] $sender_host_address is not allowed to send mail from \
+              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
+              Please see \
+	      http://www.openspf.org/Why?scope=${if def:sender_address_domain \
+              {mfrom}{helo}};identity=${if def:sender_address_domain \
+              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
     log_message = SPF check failed.
     !acl = acl_local_deny_exceptions
-    condition = ${run{/usr/bin/spfquery.mail-spf-query-perl --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
-                     {no}{${if eq {$runrc}{1}{yes}{no}}}}
-
+    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
+                   \"$sender_host_address\" --identity \
+                   ${if def:sender_address_domain \
+                       {--scope mfrom  --identity \"$sender_address\"}\
+                       {--scope helo --identity  \"$sender_helo_name\"}}}\
+                   {no}{${if eq {$runrc}{1}{yes}{no}}}}
   defer
     message = Temporary DNS error while checking SPF record.  Try again later.
     !acl = acl_local_deny_exceptions
     condition = ${if eq {$runrc}{5}{yes}{no}}
 
   warn
-    message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
-                                 {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
     condition = ${if <={$runrc}{6}{yes}{no}}
+    message = Received-SPF: ${if eq {$runrc}{0}{pass}\
+                                {${if eq {$runrc}{2}{softfail}\
+                                 {${if eq {$runrc}{3}{neutral}\
+				  {${if eq {$runrc}{4}{permerror}\
+				   {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
+				} client-ip=$sender_host_address; \
+				${if def:sender_address_domain \
+				   {envelope-from=${sender_address}; }{}}\
+				helo=$sender_helo_name
 
   warn
     log_message = Unexpected error in SPF check.
     condition = ${if >{$runrc}{6}{yes}{no}}
-
-  # Support for best-guess (see http://www.openspf.org/developers-guide.html)
-  warn
-    message = X-SPF-Guess: ${run{/usr/bin/spfquery.mail-spf-query-perl --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
-                                {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
-                                {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
-    condition = ${if <={$runrc}{6}{yes}{no}}
-
-  defer
-    message = Temporary DNS error while checking SPF record.  Try again later.
-    !acl = acl_local_deny_exceptions
-    condition = ${if eq {$runrc}{5}{yes}{no}}
   .endif
 
 
diff -Nru exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch
--- exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch	2011-01-21 19:34:47.000000000 +0100
@@ -0,0 +1,110 @@
+From 1670ef10063d7708eb736a482d1ad25b9c59521d Mon Sep 17 00:00:00 2001
+From: Phil Pennock <pdp@exim.org>
+Date: Fri, 21 Jan 2011 03:56:02 -0500
+Subject: Check return values of setgid/setuid.
+
+CVE-2011-0017
+
+One assertion of the unimportance of checking the return value was wrong,
+in the event of a compromised exim run-time user.
+---
+diff -NurBbp exim-4.72.orig/src/exim.c exim-4.72/src/exim.c
+--- exim-4.72.orig/src/exim.c	2009-11-16 20:50:36.000000000 +0100
++++ exim-4.72/src/exim.c	2011-01-21 19:28:00.000000000 +0100
+@@ -1309,7 +1309,7 @@ int  arg_error_handling = error_handling
+ int  filter_sfd = -1;
+ int  filter_ufd = -1;
+ int  group_count;
+-int  i;
++int  i, rv;
+ int  list_queue_option = 0;
+ int  msg_action = 0;
+ int  msg_action_arg = -1;
+@@ -1628,8 +1628,20 @@ real_gid = getgid();
+ 
+ if (real_uid == root_uid)
+   {
+-  setgid(real_gid);
+-  setuid(real_uid);
++  rv = setgid(real_gid);
++  if (rv)
++    {
++    fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
++        (long int)real_gid, strerror(errno));
++    exit(EXIT_FAILURE);
++    }
++  rv = setuid(real_uid);
++  if (rv)
++    {
++    fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
++        (long int)real_uid, strerror(errno));
++    exit(EXIT_FAILURE);
++    }
+   }
+ 
+ /* If neither the original real uid nor the original euid was root, Exim is
+@@ -3746,7 +3758,28 @@ if (!unprivileged &&
+ 
+ /* When we are retaining a privileged uid, we still change to the exim gid. */
+ 
+-else setgid(exim_gid);
++else
++  {
++  int rv;
++  rv = setgid(exim_gid);
++  /* Impact of failure is that some stuff might end up with an incorrect group.
++  We track this for failures from root, since any attempt to change privilege
++  by root should succeed and failures should be examined.  For non-root,
++  there's no security risk.  For me, it's { exim -bV } on a just-built binary,
++  no need to complain then. */
++  if (rv == -1)
++    {
++    if (!unprivileged)
++      {
++      fprintf(stderr,
++          "exim: changing group failed: %s\n", strerror(errno));
++      exit(EXIT_FAILURE);
++      }
++    else
++      debug_printf("changing group to %ld failed: %s\n",
++          (long int)exim_gid, strerror(errno));
++    }
++  }
+ 
+ /* Handle a request to list the delivery queue */
+ 
+diff -NurBbp exim-4.72.orig/src/log.c exim-4.72/src/log.c
+--- exim-4.72.orig/src/log.c	2009-11-16 20:50:37.000000000 +0100
++++ exim-4.72/src/log.c	2011-01-21 19:28:00.000000000 +0100
+@@ -343,17 +343,26 @@ are neither exim nor root, creation is n
+ 
+ else if (euid == root_uid)
+   {
+-  int status;
++  int status, rv;
+   pid_t pid = fork();
+ 
+   /* In the subprocess, change uid/gid and do the creation. Return 0 from the
+-  subprocess on success. There doesn't seem much point in testing for setgid
+-  and setuid errors. */
++  subprocess on success. If we don't check for setuid failures, then the file
++  can be created as root, so vulnerabilities which cause setuid to fail mean
++  that the Exim user can use symlinks to cause a file to be opened/created as
++  root.  We always open for append, so can't nuke existing content but it would
++  still be Rather Bad. */
+ 
+   if (pid == 0)
+     {
+-    (void)setgid(exim_gid);
+-    (void)setuid(exim_uid);
++    rv = setgid(exim_gid);
++    if (rv)
++      die(US"exim: setgid for log-file creation failed, aborting",
++	  US"Unexpected log failure, please try later");
++    rv = setuid(exim_uid);
++    if (rv)
++      die(US"exim: setuid for log-file creation failed, aborting",
++	  US"Unexpected log failure, please try later");
+     _exit((create_log(buffer) < 0)? 1 : 0);
+     }
+ 
diff -Nru exim4-4.72/debian/patches/series exim4-4.72/debian/patches/series
--- exim4-4.72/debian/patches/series	2010-12-24 11:12:37.000000000 +0100
+++ exim4-4.72/debian/patches/series	2011-01-21 19:35:49.000000000 +0100
@@ -18,3 +18,4 @@
 80_4.73rc1_6_nonroot_system_filter_user.patch
 80_4.73rc1_7_filter_D_option.patch
 80_4.73rc1_8_updatedocumentation.patch
+80_4.74_CVE-2011-0017.patch

Attachment: signature.asc
Description: Digital signature