Re: [Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability

From: Marc Haber (
Date: 01/16/05

  • Next message: "Re: [Full-Disclosure] linux or windows 2003 based wardialer"
    Date: Sun, 16 Jan 2005 14:25:28 +0100


    On Fri, Jan 14, 2005 at 12:41:05PM -0500, wrote:
    > Exim dns_buld_reverse() Buffer Overflow Vulnerability

    That would have to be dns_build_reverse

    > iDEFENSE Security Advisory 01.14.05

    That web page is only viewable with JavaScript enabled, and is thus
    unviewable with a browser configured to minimize the surfing risk. For
    a security-related organization, I consider this poor design.

    > /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

    That one is syntactically invalid, and neither of the obvious fixes
    does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
    correctly complains that it is unable to parse the parameter as an
    IPv6 address and exits with an exit code of 1. The same happens with a
    locally built 4.41 without Debian patches.

    > iDEFENSE has confirmed the existence of this vulnerability in Exim
    > versions 4.40 and 4.41. A source audit of version 4.42 suggests that it
    > is also vulnerable. It is suspected that earlier versions are also
    > vulnerable.

    According to the upstream author's advisory, released ten days before
    the date of the advisory I am replying to, 4.43 is vulnerable as well.

    > iDEFENSE is currently unaware of any effective workarounds for this
    > vulnerability.

    However, exim's author has released a patch addressing this
    vulnerability ten days before the release of the advisory stating
    there are no effective workarounds.

    So you are basically saying that the patch from Philip Hazel is

    > A patch for Exim release 4.43 which addresses this vulnerability is
    > available at:

    Is that patch an effective workaround, or is it not?

    > The patch will be incorporated into a future Exim release (4.50).

    There is also an interim release 4.44 incorporating the patch:

    I find it also interesting that the release message references two
    iDEFENSE notification messages which reference numbers have not been
    included in the final advisory as released by iDEFENSE.

    > A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    > been assigned yet.

    CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten
    days before the date of the advisory stating that no CVE number has
    been assigned.

    > 09/30/2004 Initial vendor notification
    > 09/30/2004 Initial vendor response
      01/04/2005 Vendor releases a patch
      01/14/2005 Vendor releases interim release incorporating the patch
    > 01/14/2005 Public disclosure

    > IX. CREDIT
    > The discoverer of this vulnerability wishes to remain anonymous.

    I can fully understand that. The entire advisory seems to be _very_
    sloppily prepared, or to have been unduly delayed and passed by
    reality before it was finally released.

    If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it
    should not have been released in the first place. If it addresses a
    new vulnerability, it should be more clear in that regard. And it
    should include code that actually allows to reproduce the vulnerability.

    Just for the record:
    The following package versions of exim and exim4 in Debian/GNU Linux
    fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022:

    exim4 4.43-2 experimental
    exim4 4.34-10 unstable, testing
    exim 3.36-13 unstable, testing
    exim 3.35-1woody4 stable
    exim-tls 3.35-3woody3 stable


    Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
    Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
    Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
    Full-Disclosure - We believe in it.

  • Next message: "Re: [Full-Disclosure] linux or windows 2003 based wardialer"