Bug#755712: marked as done (wheezy-pu: package exim4/4.80-7)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 18 Oct 2014 12:06:30 +0100
with message-id <E1XfRqA-0002Rs-Cw@jacala>
and subject line Closing bugs for updates in 7.7
has caused the Debian Bug report #755712,
regarding wheezy-pu: package exim4/4.80-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
755712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755712
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wheezy-pu: package exim4/4.80-7
• From: Andreas Metzler <ametzler@bebt.de>
• Date: Tue, 22 Jul 2014 18:12:15 +0200
• Message-id: <20140722161215.GA1229@downhill.g.la>

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

exim 4.83 includes a fix for a minor security issue (local privilege
escalation to exim user) which I would like to fix for stable. I have
already doublechecked with debian security that fixing this via a
stable update instead of a DSA is the right thing to do.

debdiff attached.

This is CVE-2014-2972.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

File lists identical on package level (after any substitutions)

Control files of package exim4: lines which differ (wdiff format)
-----------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-base: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-config: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Installed-Size: [-2935-] {+2936+}
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-daemon-light: lines which differ (wdiff format)
------------------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-daemon-light-dbg: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Installed-Size: [-2591-] {+2592+}
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-dbg: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package exim4-dev: lines which differ (wdiff format)
---------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}

Control files of package eximon4: lines which differ (wdiff format)
-------------------------------------------------------------------
Version: [-4.80-7-] {+4.80-7+deb7u1+}
diff -Nru exim4-4.80/debian/changelog exim4-4.80/debian/changelog
--- exim4-4.80/debian/changelog	2013-01-02 19:37:26.000000000 +0100
+++ exim4-4.80/debian/changelog	2014-07-21 08:16:02.000000000 +0200
@@ -1,3 +1,10 @@
+exim4 (4.80-7+deb7u1) wheezy; urgency=high
+
+  * [87_double_expansion.diff] from upstream. Stop unwanted double expansion
+    of arguments to mathematical comparison operations.
+
+ -- Andreas Metzler <ametzler@debian.org>  Mon, 21 Jul 2014 07:55:47 +0200
+
 exim4 (4.80-7) unstable; urgency=low
 
   * Use exim's ${quote:xxx} operator when invoking spfquery to disallow
diff -Nru exim4-4.80/debian/patches/87_double_expansion.diff exim4-4.80/debian/patches/87_double_expansion.diff
--- exim4-4.80/debian/patches/87_double_expansion.diff	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.80/debian/patches/87_double_expansion.diff	2014-07-21 07:54:04.000000000 +0200
@@ -0,0 +1,70 @@
+Description: Fix double expansions with mathemical comparison operations.
+Author: Todd Lyons <tlyons@exim.org>
+Origin: upstream
+Forwarded: not-needed
+Last-Update: 2014-07-20
+
+Index: exim-4.80/src/expand.c
+===================================================================
+--- exim-4.80.orig/src/expand.c	2012-05-31 00:40:15.000000000 +0000
++++ exim-4.80/src/expand.c	2014-07-21 05:50:45.935359061 +0000
+@@ -14,6 +14,7 @@
+ /* Recursively called function */
+ 
+ static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL);
++static int_eximarith_t expanded_string_integer(uschar *, BOOL);
+ 
+ #ifdef STAND_ALONE
+ #ifndef SUPPORT_CRYPTEQ
+@@ -2115,7 +2116,7 @@ switch(cond_type)
+         }
+       else
+         {
+-        num[i] = expand_string_integer(sub[i], FALSE);
++        num[i] = expanded_string_integer(sub[i], FALSE);
+         if (expand_string_message != NULL) return NULL;
+         }
+       }
+@@ -5932,7 +5933,7 @@ while (*s != 0)
+         int_eximarith_t max;
+         uschar *s;
+ 
+-        max = expand_string_integer(sub, TRUE);
++        max = expanded_string_integer(sub, TRUE);
+         if (expand_string_message != NULL)
+           goto EXPAND_FAILED;
+         s = string_sprintf("%d", vaguely_random_number((int)max));
+@@ -6129,8 +6130,32 @@ Returns:  the integer value, or
+ int_eximarith_t
+ expand_string_integer(uschar *string, BOOL isplus)
+ {
++return expanded_string_integer(expand_string(string), isplus);
++}
++
++
++/*************************************************
++ *         Interpret string as an integer        *
++ *************************************************/
++
++/* Convert a string (that has already been expanded) into an integer.
++
++This function is used inside the expansion code.
++
++Arguments:
++  s       the string to be expanded
++  isplus  TRUE if a non-negative number is expected
++
++Returns:  the integer value, or
++          -1 if string is NULL (which implies an expansion error)
++          -2 for an integer interpretation error
++          expand_string_message is set NULL for an OK integer
++*/
++
++static int_eximarith_t
++expanded_string_integer(uschar *s, BOOL isplus)
++{
+ int_eximarith_t value;
+-uschar *s = expand_string(string);
+ uschar *msg = US"invalid integer \"%s\"";
+ uschar *endptr;
+ 
diff -Nru exim4-4.80/debian/patches/series exim4-4.80/debian/patches/series
--- exim4-4.80/debian/patches/series	2012-11-25 09:27:27.000000000 +0100
+++ exim4-4.80/debian/patches/series	2014-07-21 07:54:41.000000000 +0200
@@ -16,3 +16,4 @@
 84_CVE-2012-5671.patch
 85_server_set_id_SPA.diff
 86_Dovecot-robustness.diff
+87_double_expansion.diff

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 755712-done@bugs.debian.org
• Subject: Closing bugs for updates in 7.7
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 18 Oct 2014 12:06:30 +0100
• Message-id: <E1XfRqA-0002Rs-Cw@jacala>

Version: 7.7

The upload discussed in this bug was included in the 7.7 point release.

Regards,

Adam

--- End Message ---