Package: release.debian.org Severity: normal Tags: wheezy User: release.debian.org@packages.debian.org Usertags: pu Hello, exim 4.83 includes a fix for a minor security issue (local privilege escalation to exim user) which I would like to fix for stable. I have already doublechecked with debian security that fixing this via a stable update instead of a DSA is the right thing to do. debdiff attached. This is CVE-2014-2972. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
File lists identical on package level (after any substitutions)
Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Installed-Size: [-2935-] {+2936+}
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Installed-Size: [-2591-] {+2592+}
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
diff -Nru exim4-4.80/debian/changelog exim4-4.80/debian/changelog
--- exim4-4.80/debian/changelog 2013-01-02 19:37:26.000000000 +0100
+++ exim4-4.80/debian/changelog 2014-07-21 08:16:02.000000000 +0200
@@ -1,3 +1,10 @@
+exim4 (4.80-7+deb7u1) wheezy; urgency=high
+
+ * [87_double_expansion.diff] from upstream. Stop unwanted double expansion
+ of arguments to mathematical comparison operations.
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 21 Jul 2014 07:55:47 +0200
+
exim4 (4.80-7) unstable; urgency=low
* Use exim's ${quote:xxx} operator when invoking spfquery to disallow
diff -Nru exim4-4.80/debian/patches/87_double_expansion.diff exim4-4.80/debian/patches/87_double_expansion.diff
--- exim4-4.80/debian/patches/87_double_expansion.diff 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.80/debian/patches/87_double_expansion.diff 2014-07-21 07:54:04.000000000 +0200
@@ -0,0 +1,70 @@
+Description: Fix double expansions with mathemical comparison operations.
+Author: Todd Lyons <tlyons@exim.org>
+Origin: upstream
+Forwarded: not-needed
+Last-Update: 2014-07-20
+
+Index: exim-4.80/src/expand.c
+===================================================================
+--- exim-4.80.orig/src/expand.c 2012-05-31 00:40:15.000000000 +0000
++++ exim-4.80/src/expand.c 2014-07-21 05:50:45.935359061 +0000
+@@ -14,6 +14,7 @@
+ /* Recursively called function */
+
+ static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL);
++static int_eximarith_t expanded_string_integer(uschar *, BOOL);
+
+ #ifdef STAND_ALONE
+ #ifndef SUPPORT_CRYPTEQ
+@@ -2115,7 +2116,7 @@ switch(cond_type)
+ }
+ else
+ {
+- num[i] = expand_string_integer(sub[i], FALSE);
++ num[i] = expanded_string_integer(sub[i], FALSE);
+ if (expand_string_message != NULL) return NULL;
+ }
+ }
+@@ -5932,7 +5933,7 @@ while (*s != 0)
+ int_eximarith_t max;
+ uschar *s;
+
+- max = expand_string_integer(sub, TRUE);
++ max = expanded_string_integer(sub, TRUE);
+ if (expand_string_message != NULL)
+ goto EXPAND_FAILED;
+ s = string_sprintf("%d", vaguely_random_number((int)max));
+@@ -6129,8 +6130,32 @@ Returns: the integer value, or
+ int_eximarith_t
+ expand_string_integer(uschar *string, BOOL isplus)
+ {
++return expanded_string_integer(expand_string(string), isplus);
++}
++
++
++/*************************************************
++ * Interpret string as an integer *
++ *************************************************/
++
++/* Convert a string (that has already been expanded) into an integer.
++
++This function is used inside the expansion code.
++
++Arguments:
++ s the string to be expanded
++ isplus TRUE if a non-negative number is expected
++
++Returns: the integer value, or
++ -1 if string is NULL (which implies an expansion error)
++ -2 for an integer interpretation error
++ expand_string_message is set NULL for an OK integer
++*/
++
++static int_eximarith_t
++expanded_string_integer(uschar *s, BOOL isplus)
++{
+ int_eximarith_t value;
+-uschar *s = expand_string(string);
+ uschar *msg = US"invalid integer \"%s\"";
+ uschar *endptr;
+
diff -Nru exim4-4.80/debian/patches/series exim4-4.80/debian/patches/series
--- exim4-4.80/debian/patches/series 2012-11-25 09:27:27.000000000 +0100
+++ exim4-4.80/debian/patches/series 2014-07-21 07:54:41.000000000 +0200
@@ -16,3 +16,4 @@
84_CVE-2012-5671.patch
85_server_set_id_SPA.diff
86_Dovecot-robustness.diff
+87_double_expansion.diff
Attachment:
signature.asc
Description: Digital signature