Re: [Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability
From: Marc Haber (mh+full-disclosure_at_zugschlus.de)
Date: Sun, 16 Jan 2005 14:25:28 +0100 To: email@example.com
On Fri, Jan 14, 2005 at 12:41:05PM -0500, firstname.lastname@example.org wrote:
> Exim dns_buld_reverse() Buffer Overflow Vulnerability
That would have to be dns_build_reverse
> iDEFENSE Security Advisory 01.14.05
unviewable with a browser configured to minimize the surfing risk. For
a security-related organization, I consider this poor design.
> /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`
That one is syntactically invalid, and neither of the obvious fixes
does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
correctly complains that it is unable to parse the parameter as an
IPv6 address and exits with an exit code of 1. The same happens with a
locally built 4.41 without Debian patches.
> iDEFENSE has confirmed the existence of this vulnerability in Exim
> versions 4.40 and 4.41. A source audit of version 4.42 suggests that it
> is also vulnerable. It is suspected that earlier versions are also
According to the upstream author's advisory, released ten days before
the date of the advisory I am replying to, 4.43 is vulnerable as well.
> V. WORKAROUND
> iDEFENSE is currently unaware of any effective workarounds for this
However, exim's author has released a patch addressing this
vulnerability ten days before the release of the advisory stating
there are no effective workarounds.
So you are basically saying that the patch from Philip Hazel is
> VI. VENDOR RESPONSE
> A patch for Exim release 4.43 which addresses this vulnerability is
> available at:
Is that patch an effective workaround, or is it not?
> The patch will be incorporated into a future Exim release (4.50).
There is also an interim release 4.44 incorporating the patch:
I find it also interesting that the release message references two
iDEFENSE notification messages which reference numbers have not been
included in the final advisory as released by iDEFENSE.
> > VII. CVE INFORMATION
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.
CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten
days before the date of the advisory stating that no CVE number has
> VIII. DISCLOSURE TIMELINE
> 09/30/2004 Initial vendor notification
> 09/30/2004 Initial vendor response
01/04/2005 Vendor releases a patch
01/14/2005 Vendor releases interim release incorporating the patch
> 01/14/2005 Public disclosure
> IX. CREDIT
> The discoverer of this vulnerability wishes to remain anonymous.
I can fully understand that. The entire advisory seems to be _very_
sloppily prepared, or to have been unduly delayed and passed by
reality before it was finally released.
If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it
should not have been released in the first place. If it addresses a
new vulnerability, it should be more clear in that regard. And it
should include code that actually allows to reproduce the vulnerability.
Just for the record:
The following package versions of exim and exim4 in Debian/GNU Linux
fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022:
exim4 4.43-2 experimental
exim4 4.34-10 unstable, testing
exim 3.36-13 unstable, testing
exim 3.35-1woody4 stable
exim-tls 3.35-3woody3 stable
-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html