|
|
@@ -0,0 +1,127 @@
|
|
|
+Security patches regarding two issues discussed at
|
|
|
+http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html
|
|
|
+
|
|
|
+diff -Naur exim-4.43.orig/src/auths/auth-spa.c exim-4.43/src/auths/auth-spa.c
|
|
|
+--- exim-4.43.orig/src/auths/auth-spa.c 2004-10-05 10:32:08.000000000 +0200
|
|
|
++++ exim-4.43/src/auths/auth-spa.c 2005-01-07 08:32:42.000000000 +0100
|
|
|
+@@ -405,7 +405,7 @@
|
|
|
+ }
|
|
|
+
|
|
|
+ int
|
|
|
+-spa_base64_to_bits (char *out, const char *in)
|
|
|
++spa_base64_to_bits (char *out, int outlength, const char *in)
|
|
|
+ /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
|
|
|
+ {
|
|
|
+ int len = 0;
|
|
|
+@@ -418,6 +418,8 @@
|
|
|
+
|
|
|
+ do
|
|
|
+ {
|
|
|
++ if (len >= outlength)
|
|
|
++ return (-1);
|
|
|
+ digit1 = in[0];
|
|
|
+ if (DECODE64 (digit1) == BAD)
|
|
|
+ return (-1);
|
|
|
+@@ -435,11 +437,15 @@
|
|
|
+ ++len;
|
|
|
+ if (digit3 != '=')
|
|
|
+ {
|
|
|
++ if (len >= outlength)
|
|
|
++ return (-1);
|
|
|
+ *out++ =
|
|
|
+ ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
|
|
|
+ ++len;
|
|
|
+ if (digit4 != '=')
|
|
|
+ {
|
|
|
++ if (len >= outlength)
|
|
|
++ return (-1);
|
|
|
+ *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
|
|
|
+ ++len;
|
|
|
+ }
|
|
|
+diff -Naur exim-4.43.orig/src/auths/auth-spa.h exim-4.43/src/auths/auth-spa.h
|
|
|
+--- exim-4.43.orig/src/auths/auth-spa.h 2004-10-05 10:32:08.000000000 +0200
|
|
|
++++ exim-4.43/src/auths/auth-spa.h 2005-01-07 08:34:06.000000000 +0100
|
|
|
+@@ -10,6 +10,9 @@
|
|
|
+ * Samba project (by Andrew Tridgell, Jeremy Allison, and others).
|
|
|
+ */
|
|
|
+
|
|
|
++/* December 2004: The spa_base64_to_bits() function has no length checking in
|
|
|
++it. I have added a check. PH */
|
|
|
++
|
|
|
+ /* It seems that some systems have existing but different definitions of some
|
|
|
+ of the following types. I received a complaint about "int16" causing
|
|
|
+ compilation problems. So I (PH) have renamed them all, to be on the safe side.
|
|
|
+@@ -75,7 +78,7 @@
|
|
|
+ #define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex)
|
|
|
+
|
|
|
+ void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
|
|
|
+-int spa_base64_to_bits(char *, const char *);
|
|
|
++int spa_base64_to_bits(char *, int, const char *);
|
|
|
+ void spa_build_auth_response (SPAAuthChallenge *challenge,
|
|
|
+ SPAAuthResponse *response, char *user, char *password);
|
|
|
+ void spa_build_auth_request (SPAAuthRequest *request, char *user,
|
|
|
+diff -Naur exim-4.43.orig/src/auths/spa.c exim-4.43/src/auths/spa.c
|
|
|
+--- exim-4.43.orig/src/auths/spa.c 2004-10-05 10:32:08.000000000 +0200
|
|
|
++++ exim-4.43/src/auths/spa.c 2005-01-07 08:35:39.000000000 +0100
|
|
|
+@@ -133,7 +133,7 @@
|
|
|
+ return FAIL;
|
|
|
+ }
|
|
|
+
|
|
|
+-if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0)
|
|
|
++if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0)
|
|
|
+ {
|
|
|
+ DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
|
|
|
+ "request: %s\n", data);
|
|
|
+@@ -153,7 +153,7 @@
|
|
|
+ }
|
|
|
+
|
|
|
+ /* dump client response */
|
|
|
+-if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0)
|
|
|
++if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0)
|
|
|
+ {
|
|
|
+ DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
|
|
|
+ "response: %s\n", data);
|
|
|
+@@ -319,7 +319,7 @@
|
|
|
+ /* convert the challenge into the challenge struct */
|
|
|
+ DSPA("\n\n%s authenticator: challenge (%s)\n\n",
|
|
|
+ ablock->name, buffer + 4);
|
|
|
+- spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4));
|
|
|
++ spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4));
|
|
|
+
|
|
|
+ spa_build_auth_response (&challenge, &response,
|
|
|
+ CS username, CS password);
|
|
|
+diff -Naur exim-4.43.orig/src/host.c exim-4.43/src/host.c
|
|
|
+--- exim-4.43.orig/src/host.c 2004-10-05 10:32:08.000000000 +0200
|
|
|
++++ exim-4.43/src/host.c 2005-01-07 08:28:02.000000000 +0100
|
|
|
+@@ -710,12 +710,18 @@
|
|
|
+
|
|
|
+ if (*p == ':') p++;
|
|
|
+
|
|
|
+- /* Split the address into components separated by colons. */
|
|
|
++ /* Split the address into components separated by colons. The input address
|
|
|
++ is supposed to be checked for syntax. There was a case where this was
|
|
|
++ overlooked; to guard against that happening again, check here and crash if
|
|
|
++ there is a violation. */
|
|
|
+
|
|
|
+ while (*p != 0)
|
|
|
+ {
|
|
|
+ int len = Ustrcspn(p, ":");
|
|
|
+ if (len == 0) nulloffset = ci;
|
|
|
++ if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
|
|
|
++ "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
|
|
|
++ address);
|
|
|
+ component[ci++] = p;
|
|
|
+ p += len;
|
|
|
+ if (*p == ':') p++;
|
|
|
+diff -Naur exim-4.43.orig/src/lookups/dnsdb.c exim-4.43/src/lookups/dnsdb.c
|
|
|
+--- exim-4.43.orig/src/lookups/dnsdb.c 2004-10-05 10:32:08.000000000 +0200
|
|
|
++++ exim-4.43/src/lookups/dnsdb.c 2005-01-07 08:28:38.000000000 +0100
|
|
|
+@@ -125,7 +125,7 @@
|
|
|
+ /* If the type is PTR, we have to construct the relevant magic lookup
|
|
|
+ key. This code is now in a separate function. */
|
|
|
+
|
|
|
+-if (type == T_PTR)
|
|
|
++if (type == T_PTR && string_is_ip_address(keystring, NULL))
|
|
|
+ {
|
|
|
+ dns_build_reverse(keystring, buffer);
|
|
|
+ keystring = buffer;
|
Christoph Schug