On Sat, Jan 05, 2013 at 02:20:06PM +0100, Andreas Metzler wrote: > On top of this I would like to discuss whether it is acceptable to fix > http://bugs.debian.org/697057 in stable, too. [ I definitily want o > get the fix into testing - #697444.] The Debian configuration > optionally allows to use spfquery to run SPF-checks on incoming mail. > Due to insufficient quoting it is possible to pass on arbitrary > arguments to spfquery and therefore bypass SPF checks. The fix is not > invasive, but it changes dpkg conffiles. > > ------------------------------- > diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt > index ac347aa..4949587 100644 > --- a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt > +++ b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt > @@ -265,10 +265,10 @@ acl_check_rcpt: > log_message = SPF check failed. > !acl = acl_local_deny_exceptions > condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \ > - \"$sender_host_address\" --identity \ > + ${quote:$sender_host_address} --identity \ > ${if def:sender_address_domain \ > - {--scope mfrom --identity \"$sender_address\"}\ > - {--scope helo --identity \"$sender_helo_name\"}}}\ > + {--scope mfrom --identity ${quote:$sender_address}}\ > + {--scope helo --identity ${quote:$sender_helo_name}}}}\ > {no}{${if eq {$runrc}{1}{yes}{no}}}} > > defer > ------------------------------- Just to be clear: The underquoting does not yield a situation where one can use shell escapes or similar? It's "just" about being able to bypass the SPF check by supplying crafted data? Kind regards Philipp Kern
Attachment:
signature.asc
Description: Digital signature