[Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability
From: customer service mailbox (customerservice_at_idefense.com)
Date: Wed, 19 Jan 2005 11:12:00 -0500 To: <firstname.lastname@example.org>
There has been some confusion over the CVE numbers issued for three
recently released Exim security vulnerabilities. In discussions with
both Mitre and the Exim maintainers, a decision has been made to issue
the following CVE numbers for these vulnerabilities:
Exim dns_buld_reverse() Buffer Overflow Vulnerability
Exim host_aton() Buffer Overflow Vulnerability
Exim auth_spa_server() Buffer Overflow Vulnerability
The determination was made by Mitre to combine the dns_buld_reverse()
and host_aton() into a single CVE number due the fact that they are both
buffer overflows addressed by the same patch.
>> /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`
>That one is syntactically invalid, and neither of the obvious fixes
>does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
>correctly complains that it is unable to parse the parameter as an
>IPv6 address and exits with an exit code of 1. The same happens with a
>locally built 4.41 without Debian patches.
Marc - I appreciate your bringing this to our attention. You are correct
that the code was syntactically invalid. We have updated the advisory
with the following code:
/path/to/exim-binary -bh ::%A:::::::::::::::::`perl -e 'print
pack("L",0xdeadbeef) x 256'`
Lastly, the wording of the Vendor Response section has been updated to
clarify the correct vendor fix for this issue.
"The vulnerability has been fixed in Exim release 4.44."
The public advisories on the iDEFENSE web site have been updated to
reflect these changes.
My apologies for the confusion.
Director, iDEFENSE Labs
Full-Disclosure - We believe in it.