Your message dated Sat, 18 Oct 2014 12:06:30 +0100 with message-id <E1XfRqA-0002Rs-Cw@jacala> and subject line Closing bugs for updates in 7.7 has caused the Debian Bug report #755712, regarding wheezy-pu: package exim4/4.80-7 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 755712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755712 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package exim4/4.80-7
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Tue, 22 Jul 2014 18:12:15 +0200
- Message-id: <20140722161215.GA1229@downhill.g.la>
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian.org@packages.debian.org Usertags: pu Hello, exim 4.83 includes a fix for a minor security issue (local privilege escalation to exim user) which I would like to fix for stable. I have already doublechecked with debian security that fixing this via a stable update instead of a DSA is the right thing to do. debdiff attached. This is CVE-2014-2972. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'File lists identical on package level (after any substitutions) Control files of package exim4: lines which differ (wdiff format) ----------------------------------------------------------------- Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-base: lines which differ (wdiff format) ---------------------------------------------------------------------- Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-config: lines which differ (wdiff format) ------------------------------------------------------------------------ Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-daemon-heavy: lines which differ (wdiff format) ------------------------------------------------------------------------------ Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Installed-Size: [-2935-] {+2936+} Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-daemon-light: lines which differ (wdiff format) ------------------------------------------------------------------------------ Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format) ---------------------------------------------------------------------------------- Installed-Size: [-2591-] {+2592+} Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-dbg: lines which differ (wdiff format) --------------------------------------------------------------------- Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package exim4-dev: lines which differ (wdiff format) --------------------------------------------------------------------- Version: [-4.80-7-] {+4.80-7+deb7u1+} Control files of package eximon4: lines which differ (wdiff format) ------------------------------------------------------------------- Version: [-4.80-7-] {+4.80-7+deb7u1+} diff -Nru exim4-4.80/debian/changelog exim4-4.80/debian/changelog --- exim4-4.80/debian/changelog 2013-01-02 19:37:26.000000000 +0100 +++ exim4-4.80/debian/changelog 2014-07-21 08:16:02.000000000 +0200 @@ -1,3 +1,10 @@ +exim4 (4.80-7+deb7u1) wheezy; urgency=high + + * [87_double_expansion.diff] from upstream. Stop unwanted double expansion + of arguments to mathematical comparison operations. + + -- Andreas Metzler <ametzler@debian.org> Mon, 21 Jul 2014 07:55:47 +0200 + exim4 (4.80-7) unstable; urgency=low * Use exim's ${quote:xxx} operator when invoking spfquery to disallow diff -Nru exim4-4.80/debian/patches/87_double_expansion.diff exim4-4.80/debian/patches/87_double_expansion.diff --- exim4-4.80/debian/patches/87_double_expansion.diff 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.80/debian/patches/87_double_expansion.diff 2014-07-21 07:54:04.000000000 +0200 @@ -0,0 +1,70 @@ +Description: Fix double expansions with mathemical comparison operations. +Author: Todd Lyons <tlyons@exim.org> +Origin: upstream +Forwarded: not-needed +Last-Update: 2014-07-20 + +Index: exim-4.80/src/expand.c +=================================================================== +--- exim-4.80.orig/src/expand.c 2012-05-31 00:40:15.000000000 +0000 ++++ exim-4.80/src/expand.c 2014-07-21 05:50:45.935359061 +0000 +@@ -14,6 +14,7 @@ + /* Recursively called function */ + + static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL); ++static int_eximarith_t expanded_string_integer(uschar *, BOOL); + + #ifdef STAND_ALONE + #ifndef SUPPORT_CRYPTEQ +@@ -2115,7 +2116,7 @@ switch(cond_type) + } + else + { +- num[i] = expand_string_integer(sub[i], FALSE); ++ num[i] = expanded_string_integer(sub[i], FALSE); + if (expand_string_message != NULL) return NULL; + } + } +@@ -5932,7 +5933,7 @@ while (*s != 0) + int_eximarith_t max; + uschar *s; + +- max = expand_string_integer(sub, TRUE); ++ max = expanded_string_integer(sub, TRUE); + if (expand_string_message != NULL) + goto EXPAND_FAILED; + s = string_sprintf("%d", vaguely_random_number((int)max)); +@@ -6129,8 +6130,32 @@ Returns: the integer value, or + int_eximarith_t + expand_string_integer(uschar *string, BOOL isplus) + { ++return expanded_string_integer(expand_string(string), isplus); ++} ++ ++ ++/************************************************* ++ * Interpret string as an integer * ++ *************************************************/ ++ ++/* Convert a string (that has already been expanded) into an integer. ++ ++This function is used inside the expansion code. ++ ++Arguments: ++ s the string to be expanded ++ isplus TRUE if a non-negative number is expected ++ ++Returns: the integer value, or ++ -1 if string is NULL (which implies an expansion error) ++ -2 for an integer interpretation error ++ expand_string_message is set NULL for an OK integer ++*/ ++ ++static int_eximarith_t ++expanded_string_integer(uschar *s, BOOL isplus) ++{ + int_eximarith_t value; +-uschar *s = expand_string(string); + uschar *msg = US"invalid integer \"%s\""; + uschar *endptr; + diff -Nru exim4-4.80/debian/patches/series exim4-4.80/debian/patches/series --- exim4-4.80/debian/patches/series 2012-11-25 09:27:27.000000000 +0100 +++ exim4-4.80/debian/patches/series 2014-07-21 07:54:41.000000000 +0200 @@ -16,3 +16,4 @@ 84_CVE-2012-5671.patch 85_server_set_id_SPA.diff 86_Dovecot-robustness.diff +87_double_expansion.diffAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 755712-done@bugs.debian.org
- Subject: Closing bugs for updates in 7.7
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 18 Oct 2014 12:06:30 +0100
- Message-id: <E1XfRqA-0002Rs-Cw@jacala>
Version: 7.7 The upload discussed in this bug was included in the 7.7 point release. Regards, Adam
--- End Message ---