summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFabian Groffen <grobian@gentoo.org>2020-05-13 09:44:37 +0200
committerFabian Groffen <grobian@gentoo.org>2020-05-13 09:45:13 +0200
commit1468afd12e683a61448e2ff58c47e54715f0ff29 (patch)
treef95c13bf6ff2f7232e7d4b4d7e374f733b9fe863 /mail-mta
parentnet-analyzer/bwping: Version 1.17 (diff)
downloadgentoo-1468afd12e683a61448e2ff58c47e54715f0ff29.tar.gz
gentoo-1468afd12e683a61448e2ff58c47e54715f0ff29.tar.bz2
gentoo-1468afd12e683a61448e2ff58c47e54715f0ff29.zip
mail-mta/exim-4.93.0.4-r1: revbump for CVE-2020-12783
Bug: https://bugs.gentoo.org/722484 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Fabian Groffen <grobian@gentoo.org>
Diffstat (limited to 'mail-mta')
-rw-r--r--mail-mta/exim/exim-4.93.0.4-r1.ebuild (renamed from mail-mta/exim/exim-4.93.0.4.ebuild)1
-rw-r--r--mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch83
2 files changed, 84 insertions, 0 deletions
diff --git a/mail-mta/exim/exim-4.93.0.4.ebuild b/mail-mta/exim/exim-4.93.0.4-r1.ebuild
index ae3fd4019c8..714de0e7045 100644
--- a/mail-mta/exim/exim-4.93.0.4.ebuild
+++ b/mail-mta/exim/exim-4.93.0.4-r1.ebuild
@@ -115,6 +115,7 @@ src_prepare() {
eapply "${FILESDIR}"/exim-4.69-r1.27021.patch
eapply "${FILESDIR}"/exim-4.93-localscan_dlopen.patch
eapply -p2 "${FILESDIR}"/exim-4.93-radius.patch # 720364
+ eapply "${FILESDIR}"/exim-4.93-CVE-2020-12783.patch # 722484
if use maildir ; then
eapply "${FILESDIR}"/exim-4.20-maildir.patch
diff --git a/mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch b/mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch
new file mode 100644
index 00000000000..c957d5541e4
--- /dev/null
+++ b/mail-mta/exim/files/exim-4.93-CVE-2020-12783.patch
@@ -0,0 +1,83 @@
+auths/spa: fix for CVE-2020-12783
+
+This is a combined patch of git commits:
+
+57aa14b216432be381b6295c312065b2fd034f86
+a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
+
+leaving out whitespace noise for a smaller patch
+and made it apply to the 4.93 release
+
+modified paths because Exim dists differ in layout from the git repo
+
+Fix SPA authenticator, checking client-supplied data before using it. Bug 2571
+Rework SPA fix to avoid overflows. Bug 2571
+
+
+--- a/src/auths/auth-spa.c
++++ b/src/auths/auth-spa.c
+@@ -405,7 +405,7 @@ int
+ /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
+ {
+ int len = 0;
+- register uschar digit1, digit2, digit3, digit4;
++ uschar digit1, digit2, digit3, digit4;
+
+ if (in[0] == '+' && in[1] == ' ')
+ in += 2;
+--- a/src/auths/spa.c
++++ b/src/auths/spa.c
+@@ -139,7 +139,8 @@ SPAAuthChallenge challenge;
+ SPAAuthResponse response;
+ SPAAuthResponse *responseptr = &response;
+ uschar msgbuf[2048];
+-uschar *clearpass;
++uschar *clearpass, *s;
++unsigned off;
+
+ /* send a 334, MS Exchange style, and grab the client's request,
+ unless we already have it via an initial response. */
+@@ -194,9 +195,19 @@ that causes failure if the size of msgbuf is exceeded. ****/
+
+ {
+ int i;
+- char *p = ((char*)responseptr) + IVAL(&responseptr->uUser.offset,0);
++ char * p;
+ int len = SVAL(&responseptr->uUser.len,0)/2;
+
++ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
++ || len >= sizeof(responseptr->buffer)/2
++ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
++ )
++ {
++ DEBUG(D_auth)
++ debug_printf("auth_spa_server(): bad uUser spec in response\n");
++ return FAIL;
++ }
++
+ if (len + 1 >= sizeof(msgbuf)) return FAIL;
+ for (i = 0; i < len; ++i)
+ {
+@@ -245,12 +256,16 @@ spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);
+
+ /* compare NT hash (LM may not be available) */
+
+-if (memcmp(ntRespData,
+- ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0),
+- 24) == 0)
+- /* success. we have a winner. */
+- {
++off = IVAL(&responseptr->ntResponse.offset,0);
++if (off >= sizeof(SPAAuthResponse) - 24)
++ {
++ DEBUG(D_auth)
++ debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
++ return FAIL;
++ }
++s = (US responseptr) + off;
++
++if (memcmp(ntRespData, s, 24) == 0)
+ return auth_check_serv_cond(ablock);
+- }
+
+ /* Expand server_condition as an authorization check (PH) */