[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#610879: marked as done (unblock: exim4/4.72-4)

Your message dated Sun, 23 Jan 2011 18:10:14 +0100
with message-id <20110123171014.GZ30701@radis.liafa.jussieu.fr>
and subject line Re: Bug#610879: unblock: exim4/4.72-4
has caused the Debian Bug report #610879,
regarding unblock: exim4/4.72-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
610879: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610879
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception

Hello,

I have uploaded exim4/4.72-4 to sid yesterday. There are two changes
compared to squeeze:

* A fix for a local security issue. (CVE-2011-0017: the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.)

* An update to the SPF example code. The Debian exim configuration contains
code to check SPF data by invoking spfquery. The code is disabled by
default but easily enabled through a macro. Due to the removal of
libmail-spf-query-perl from sid and sqeeze the example code is broken
(No message rejection, but non-working.) I have updated the respective
ACL to use spf-tools-perl's spfquery instead.

-------------------------------------------------

There is a further issues I would like to fix for squeeze:

Debian bug #610611: If a non-debug daemon was invoked with a
non-whitelisted macro, then logs from after attempting delivery would
be silently lost, including for successful delivery.  This log-loss
bug was introduced in 4.73 as part of the security lockdown.
http://git.exim.org/exim.git/commitdiff/b7487bcec431809cb7fc3c2b42fcd607e43d37e7

Please either unblock package exim4 or give me a go to upload 4.72-5
with the abovementioned additional fix.

unblock exim4/4.72-4

thanks, cu andreas


diff -Nru exim4-4.72/debian/changelog exim4-4.72/debian/changelog
--- exim4-4.72/debian/changelog	2010-12-26 15:13:21.000000000 +0100
+++ exim4-4.72/debian/changelog	2011-01-22 17:48:25.000000000 +0100
@@ -1,3 +1,15 @@
+exim4 (4.72-4) unstable; urgency=medium
+
+  * In spf example use spf-tools-perl's spfquery instead of the one from
+    libmail-spf-query-perl. Do not try to use unimplemented best-guess
+    support. Update Suggests accordingly. Closes: #608336
+  * 80_4.74_CVE-2011-0017.patch (Pulled from upstream git): Check return
+    values of setgid/setuid. This is a privilege escalation vulnerability
+    whereby the Exim run-time user can cause root to append content of the
+    attacker's choosing to arbitrary files.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 22 Jan 2011 17:48:19 +0100
+
 exim4 (4.72-3) unstable; urgency=low
 
   * [README.Debian*] Correct command for manual paniclog rotation. (Thanks,
diff -Nru exim4-4.72/debian/control exim4-4.72/debian/control
--- exim4-4.72/debian/control	2010-12-24 11:03:24.000000000 +0100
+++ exim4-4.72/debian/control	2010-12-31 18:38:28.000000000 +0100
@@ -19,7 +19,8 @@
 Depends: ${shlibs:Depends}, ${misc:Depends}, cron | fcron, exim4-config (>=4.30) | exim4-config-2, adduser, netbase, lsb-base (>= 3.0-6)
 # psmisc just for exiwhat.
 Recommends: psmisc, mailx, perl-modules
-Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin | openssl, file, libmail-spf-query-perl (>= 1.999-1), swaks
+Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, 
+ gnutls-bin | openssl, file, spf-tools-perl, swaks
 Description: support files for all Exim MTA (v4) packages
  Exim (v4) is a mail transport agent. exim4-base provides the support
  files needed by all exim4 daemon packages. You need an additional package
diff -Nru exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
--- exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2010-07-03 14:56:37.000000000 +0200
+++ exim4-4.72/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2011-01-22 17:01:08.000000000 +0100
@@ -240,43 +240,45 @@
   #
   # This is quite costly in terms of DNS lookups (~6 lookups per mail).  Do not
   # enable if that's an issue.  Also note that if you enable this, you must
-  # install "libmail-spf-query-perl" which provides the spfquery command.
-  # Missing libmail-spf-query-perl will trigger the "Unexpected error in
+  # install "spf-tools-perl" which provides the spfquery command.
+  # Missing spf-tools-perl will trigger the "Unexpected error in
   # SPF check" warning.
   .ifdef CHECK_RCPT_SPF
   deny
-    message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
-              Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address
+    message = [SPF] $sender_host_address is not allowed to send mail from \
+              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
+              Please see \
+	      http://www.openspf.org/Why?scope=${if def:sender_address_domain \
+              {mfrom}{helo}};identity=${if def:sender_address_domain \
+              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
     log_message = SPF check failed.
     !acl = acl_local_deny_exceptions
-    condition = ${run{/usr/bin/spfquery.mail-spf-query-perl --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
-                     {no}{${if eq {$runrc}{1}{yes}{no}}}}
-
+    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
+                   \"$sender_host_address\" --identity \
+                   ${if def:sender_address_domain \
+                       {--scope mfrom  --identity \"$sender_address\"}\
+                       {--scope helo --identity  \"$sender_helo_name\"}}}\
+                   {no}{${if eq {$runrc}{1}{yes}{no}}}}
   defer
     message = Temporary DNS error while checking SPF record.  Try again later.
     !acl = acl_local_deny_exceptions
     condition = ${if eq {$runrc}{5}{yes}{no}}
 
   warn
-    message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
-                                 {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
     condition = ${if <={$runrc}{6}{yes}{no}}
+    message = Received-SPF: ${if eq {$runrc}{0}{pass}\
+                                {${if eq {$runrc}{2}{softfail}\
+                                 {${if eq {$runrc}{3}{neutral}\
+				  {${if eq {$runrc}{4}{permerror}\
+				   {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
+				} client-ip=$sender_host_address; \
+				${if def:sender_address_domain \
+				   {envelope-from=${sender_address}; }{}}\
+				helo=$sender_helo_name
 
   warn
     log_message = Unexpected error in SPF check.
     condition = ${if >{$runrc}{6}{yes}{no}}
-
-  # Support for best-guess (see http://www.openspf.org/developers-guide.html)
-  warn
-    message = X-SPF-Guess: ${run{/usr/bin/spfquery.mail-spf-query-perl --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
-                                {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
-                                {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
-    condition = ${if <={$runrc}{6}{yes}{no}}
-
-  defer
-    message = Temporary DNS error while checking SPF record.  Try again later.
-    !acl = acl_local_deny_exceptions
-    condition = ${if eq {$runrc}{5}{yes}{no}}
   .endif
 
 
diff -Nru exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch
--- exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.72/debian/patches/80_4.74_CVE-2011-0017.patch	2011-01-21 19:34:47.000000000 +0100
@@ -0,0 +1,110 @@
+From 1670ef10063d7708eb736a482d1ad25b9c59521d Mon Sep 17 00:00:00 2001
+From: Phil Pennock <pdp@exim.org>
+Date: Fri, 21 Jan 2011 03:56:02 -0500
+Subject: Check return values of setgid/setuid.
+
+CVE-2011-0017
+
+One assertion of the unimportance of checking the return value was wrong,
+in the event of a compromised exim run-time user.
+---
+diff -NurBbp exim-4.72.orig/src/exim.c exim-4.72/src/exim.c
+--- exim-4.72.orig/src/exim.c	2009-11-16 20:50:36.000000000 +0100
++++ exim-4.72/src/exim.c	2011-01-21 19:28:00.000000000 +0100
+@@ -1309,7 +1309,7 @@ int  arg_error_handling = error_handling
+ int  filter_sfd = -1;
+ int  filter_ufd = -1;
+ int  group_count;
+-int  i;
++int  i, rv;
+ int  list_queue_option = 0;
+ int  msg_action = 0;
+ int  msg_action_arg = -1;
+@@ -1628,8 +1628,20 @@ real_gid = getgid();
+ 
+ if (real_uid == root_uid)
+   {
+-  setgid(real_gid);
+-  setuid(real_uid);
++  rv = setgid(real_gid);
++  if (rv)
++    {
++    fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
++        (long int)real_gid, strerror(errno));
++    exit(EXIT_FAILURE);
++    }
++  rv = setuid(real_uid);
++  if (rv)
++    {
++    fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
++        (long int)real_uid, strerror(errno));
++    exit(EXIT_FAILURE);
++    }
+   }
+ 
+ /* If neither the original real uid nor the original euid was root, Exim is
+@@ -3746,7 +3758,28 @@ if (!unprivileged &&
+ 
+ /* When we are retaining a privileged uid, we still change to the exim gid. */
+ 
+-else setgid(exim_gid);
++else
++  {
++  int rv;
++  rv = setgid(exim_gid);
++  /* Impact of failure is that some stuff might end up with an incorrect group.
++  We track this for failures from root, since any attempt to change privilege
++  by root should succeed and failures should be examined.  For non-root,
++  there's no security risk.  For me, it's { exim -bV } on a just-built binary,
++  no need to complain then. */
++  if (rv == -1)
++    {
++    if (!unprivileged)
++      {
++      fprintf(stderr,
++          "exim: changing group failed: %s\n", strerror(errno));
++      exit(EXIT_FAILURE);
++      }
++    else
++      debug_printf("changing group to %ld failed: %s\n",
++          (long int)exim_gid, strerror(errno));
++    }
++  }
+ 
+ /* Handle a request to list the delivery queue */
+ 
+diff -NurBbp exim-4.72.orig/src/log.c exim-4.72/src/log.c
+--- exim-4.72.orig/src/log.c	2009-11-16 20:50:37.000000000 +0100
++++ exim-4.72/src/log.c	2011-01-21 19:28:00.000000000 +0100
+@@ -343,17 +343,26 @@ are neither exim nor root, creation is n
+ 
+ else if (euid == root_uid)
+   {
+-  int status;
++  int status, rv;
+   pid_t pid = fork();
+ 
+   /* In the subprocess, change uid/gid and do the creation. Return 0 from the
+-  subprocess on success. There doesn't seem much point in testing for setgid
+-  and setuid errors. */
++  subprocess on success. If we don't check for setuid failures, then the file
++  can be created as root, so vulnerabilities which cause setuid to fail mean
++  that the Exim user can use symlinks to cause a file to be opened/created as
++  root.  We always open for append, so can't nuke existing content but it would
++  still be Rather Bad. */
+ 
+   if (pid == 0)
+     {
+-    (void)setgid(exim_gid);
+-    (void)setuid(exim_uid);
++    rv = setgid(exim_gid);
++    if (rv)
++      die(US"exim: setgid for log-file creation failed, aborting",
++	  US"Unexpected log failure, please try later");
++    rv = setuid(exim_uid);
++    if (rv)
++      die(US"exim: setuid for log-file creation failed, aborting",
++	  US"Unexpected log failure, please try later");
+     _exit((create_log(buffer) < 0)? 1 : 0);
+     }
+ 
diff -Nru exim4-4.72/debian/patches/series exim4-4.72/debian/patches/series
--- exim4-4.72/debian/patches/series	2010-12-24 11:12:37.000000000 +0100
+++ exim4-4.72/debian/patches/series	2011-01-21 19:35:49.000000000 +0100
@@ -18,3 +18,4 @@
 80_4.73rc1_6_nonroot_system_filter_user.patch
 80_4.73rc1_7_filter_D_option.patch
 80_4.73rc1_8_updatedocumentation.patch
+80_4.74_CVE-2011-0017.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On Sun, Jan 23, 2011 at 17:56:45 +0100, Andreas Metzler wrote:

> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: freeze-exception
> 
> Hello,
> 
> I have uploaded exim4/4.72-4 to sid yesterday. There are two changes
> compared to squeeze:
> 
> * A fix for a local security issue. (CVE-2011-0017: the Exim run-time user
> can cause root to append content of the attacker's choosing to
> arbitrary files.)
> 
> * An update to the SPF example code. The Debian exim configuration contains
> code to check SPF data by invoking spfquery. The code is disabled by
> default but easily enabled through a macro. Due to the removal of
> libmail-spf-query-perl from sid and sqeeze the example code is broken
> (No message rejection, but non-working.) I have updated the respective
> ACL to use spf-tools-perl's spfquery instead.
> 
Unblocked.

> -------------------------------------------------
> 
> There is a further issues I would like to fix for squeeze:
> 
> Debian bug #610611: If a non-debug daemon was invoked with a
> non-whitelisted macro, then logs from after attempting delivery would
> be silently lost, including for successful delivery.  This log-loss
> bug was introduced in 4.73 as part of the security lockdown.
> http://git.exim.org/exim.git/commitdiff/b7487bcec431809cb7fc3c2b42fcd607e43d37e7
> 
> Please either unblock package exim4 or give me a go to upload 4.72-5
> with the abovementioned additional fix.
> 
Let's get -4 in squeeze first, and then consider if we still have time
for -5.  If not, you can still upload to p-u and fix this for 6.0.1.

Thanks,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: