[Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability

From: customer service mailbox (customerservice_at_idefense.com)
Date: 01/19/05

  • Next message: Cisco Systems Product Security Incident Response Team: "[Full-Disclosure] Cisco Security Advisory: Vulnerability in Cisco IOS Embedded Call Processing Solutions"
    Date: Wed, 19 Jan 2005 11:12:00 -0500
    To: <full-disclosure@lists.netsys.com>
    
    

    There has been some confusion over the CVE numbers issued for three
    recently released Exim security vulnerabilities. In discussions with
    both Mitre and the Exim maintainers, a decision has been made to issue
    the following CVE numbers for these vulnerabilities:

    Exim dns_buld_reverse() Buffer Overflow Vulnerability
    http://www.idefense.com/application/poi/display?id=183&type=vulnerabilit
    ies
    CAN-2005-0021

    Exim host_aton() Buffer Overflow Vulnerability
    http://www.idefense.com/application/poi/display?id=179&type=vulnerabilit
    ies
    CAN-2005-0021

    Exim auth_spa_server() Buffer Overflow Vulnerability
    http://www.idefense.com/application/poi/display?id=178&type=vulnerabilit
    ies
    CAN-2005-0022

    The determination was made by Mitre to combine the dns_buld_reverse()
    and host_aton() into a single CVE number due the fact that they are both
    buffer overflows addressed by the same patch.

    >> /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

    >That one is syntactically invalid, and neither of the obvious fixes
    >does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
    >correctly complains that it is unable to parse the parameter as an
    >IPv6 address and exits with an exit code of 1. The same happens with a
    >locally built 4.41 without Debian patches.

    Marc - I appreciate your bringing this to our attention. You are correct
    that the code was syntactically invalid. We have updated the advisory
    with the following code:

       /path/to/exim-binary -bh ::%A:::::::::::::::::`perl -e 'print
    pack("L",0xdeadbeef) x 256'`

    Lastly, the wording of the Vendor Response section has been updated to
    clarify the correct vendor fix for this issue.

       "The vulnerability has been fixed in Exim release 4.44."

    The public advisories on the iDEFENSE web site have been updated to
    reflect these changes.

    My apologies for the confusion.

    Regards,

    Michael Sutton
    Director, iDEFENSE Labs

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Cisco Systems Product Security Incident Response Team: "[Full-Disclosure] Cisco Security Advisory: Vulnerability in Cisco IOS Embedded Call Processing Solutions"