diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-08-05 03:28:47.000000000 +0000 +++ exim4-4.96/debian/changelog 2023-10-03 13:35:45.000000000 +0000 @@ -1,3 +1,22 @@ +exim4 (4.96-17ubuntu2) mantic; urgency=medium + + * SECURITY UPDATE: information disclosure + - debian/patches/CVE-2023-42114.patch: fix possible OOB read in + SPA authenticator + - CVE-2023-42114 + * SECURITY UPDATE: remote code execution + - debian/patches/CVE-2023-42115.patch: fix possible OOB write in + external authenticator + - CVE-2023-42115 + * SECURITY UPDATE: remote code execution + - debian/patches/CVE-2023-42116.patch: fix possible OOB write in + SPA authenticator + - CVE-2023-42116 + * debian/patches/CVE-2023-42114_15_16.patch: + - use uschar more in spa authenticator + + -- Allen Huang Tue, 03 Oct 2023 14:35:45 +0100 + exim4 (4.96-17ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2030098). Remaining changes: diff -Nru exim4-4.96/debian/patches/CVE-2023-42114_15_16.patch exim4-4.96/debian/patches/CVE-2023-42114_15_16.patch --- exim4-4.96/debian/patches/CVE-2023-42114_15_16.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.96/debian/patches/CVE-2023-42114_15_16.patch 2023-10-03 13:35:45.000000000 +0000 @@ -0,0 +1,232 @@ +From 0519dcfb5f149154a416b54865fd8026abb57791 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 11 May 2023 18:53:25 +0100 +Subject: [PATCH 2/4] Auths: use uschar more in spa authenticator + +--- + src/src/auths/auth-spa.c | 72 +++++++++++++++++++++------------------- + src/src/auths/auth-spa.h | 8 ++--- + src/src/auths/spa.c | 13 ++++---- + 3 files changed, 47 insertions(+), 46 deletions(-) + +Index: exim4-4.96/src/auths/auth-spa.c +=================================================================== +--- exim4-4.96.orig/src/auths/auth-spa.c 2023-10-03 14:35:16.511517725 +0100 ++++ exim4-4.96/src/auths/auth-spa.c 2023-10-03 14:35:16.507517793 +0100 +@@ -155,6 +155,9 @@ + up with a different answer to the one above) + */ + ++#ifndef MACRO_PREDEF ++ ++ + #define DEBUG_X(a,b) ; + + extern int DEBUGLEVEL; +@@ -1229,21 +1232,21 @@ + + #define spa_string_add(ptr, header, string) \ + { \ +-char *p = string; \ ++uschar * p = string; \ + int len = 0; \ +-if (p) len = strlen(p); \ +-spa_bytes_add(ptr, header, (US p), len); \ ++if (p) len = Ustrlen(p); \ ++spa_bytes_add(ptr, header, p, len); \ + } + + #define spa_unicode_add_string(ptr, header, string) \ + { \ +-char *p = string; \ +-uschar *b = NULL; \ ++uschar * p = string; \ ++uschar * b = NULL; \ + int len = 0; \ + if (p) \ + { \ +- len = strlen(p); \ +- b = strToUnicode(p); \ ++ len = Ustrlen(p); \ ++ b = US strToUnicode(CS p); \ + } \ + spa_bytes_add(ptr, header, b, len*2); \ + } +@@ -1366,15 +1369,15 @@ + #endif + + void +-spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain) ++spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain) + { +-char *u = strdup (user); +-char *p = strchr (u, '@'); ++uschar * u = string_copy(user); ++uschar * p = Ustrchr(u, '@'); + + if (p) + { + if (!domain) +- domain = p + 1; ++ domain = p + 1; + *p = '\0'; + } + +@@ -1384,7 +1387,6 @@ + SIVAL (&request->flags, 0, 0x0000b207); /* have to figure out what these mean */ + spa_string_add (request, user, u); + spa_string_add (request, domain, domain); +-free (u); + } + + +@@ -1475,16 +1477,16 @@ + + void + spa_build_auth_response (SPAAuthChallenge * challenge, +- SPAAuthResponse * response, char *user, +- char *password) ++ SPAAuthResponse * response, uschar * user, ++ uschar * password) + { + uint8x lmRespData[24]; + uint8x ntRespData[24]; + uint32x cf = IVAL(&challenge->flags, 0); +-char *u = strdup (user); +-char *p = strchr (u, '@'); +-char *d = NULL; +-char *domain; ++uschar * u = string_copy(user); ++uschar * p = Ustrchr(u, '@'); ++uschar * d = NULL; ++uschar * domain; + + if (p) + { +@@ -1492,33 +1494,33 @@ + *p = '\0'; + } + +-else domain = d = strdup((cf & 0x1)? +- CCS GetUnicodeString(challenge, uDomain) : +- CCS GetString(challenge, uDomain)); ++else domain = d = string_copy(cf & 0x1 ++ ? CUS GetUnicodeString(challenge, uDomain) ++ : CUS GetString(challenge, uDomain)); + +-spa_smb_encrypt (US password, challenge->challengeData, lmRespData); +-spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData); ++spa_smb_encrypt(password, challenge->challengeData, lmRespData); ++spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); + + response->bufIndex = 0; + memcpy (response->ident, "NTLMSSP\0\0\0", 8); + SIVAL (&response->msgType, 0, 3); + +-spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0); +-spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0); ++spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0); ++spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0); + + if (cf & 0x1) { /* Unicode Text */ +- spa_unicode_add_string (response, uDomain, domain); +- spa_unicode_add_string (response, uUser, u); +- spa_unicode_add_string (response, uWks, u); ++ spa_unicode_add_string(response, uDomain, domain); ++ spa_unicode_add_string(response, uUser, u); ++ spa_unicode_add_string(response, uWks, u); + } else { /* OEM Text */ +- spa_string_add (response, uDomain, domain); +- spa_string_add (response, uUser, u); +- spa_string_add (response, uWks, u); ++ spa_string_add(response, uDomain, domain); ++ spa_string_add(response, uUser, u); ++ spa_string_add(response, uWks, u); + } + +-spa_string_add (response, sessionKey, NULL); ++spa_string_add(response, sessionKey, NULL); + response->flags = challenge->flags; +- +-if (d != NULL) free (d); +-free (u); + } ++ ++ ++#endif /*!MACRO_PREDEF*/ +Index: exim4-4.96/src/auths/auth-spa.h +=================================================================== +--- exim4-4.96.orig/src/auths/auth-spa.h 2023-10-03 14:35:16.511517725 +0100 ++++ exim4-4.96/src/auths/auth-spa.h 2023-10-03 14:35:16.507517793 +0100 +@@ -79,10 +79,10 @@ + + void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); + int spa_base64_to_bits(char *, int, const char *); +-void spa_build_auth_response (SPAAuthChallenge *challenge, +- SPAAuthResponse *response, char *user, char *password); +-void spa_build_auth_request (SPAAuthRequest *request, char *user, +- char *domain); ++void spa_build_auth_response (SPAAuthChallenge * challenge, ++ SPAAuthResponse * response, uschar * user, uschar * password); ++void spa_build_auth_request (SPAAuthRequest * request, uschar * user, ++ uschar * domain); + extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8, + unsigned char * p24); + extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8, +Index: exim4-4.96/src/auths/spa.c +=================================================================== +--- exim4-4.96.orig/src/auths/spa.c 2023-10-03 14:35:16.511517725 +0100 ++++ exim4-4.96/src/auths/spa.c 2023-10-03 14:35:16.507517793 +0100 +@@ -284,14 +284,13 @@ + SPAAuthChallenge challenge; + SPAAuthResponse response; + char msgbuf[2048]; +-char *domain = NULL; +-char *username, *password; ++uschar * domain = NULL, * username, * password; + + /* Code added by PH to expand the options */ + + *buffer = 0; /* Default no message when cancelled */ + +-if (!(username = CS expand_string(ob->spa_username))) ++if (!(username = expand_string(ob->spa_username))) + { + if (f.expand_string_forcedfail) return CANCELLED; + string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " +@@ -300,7 +299,7 @@ + return ERROR; + } + +-if (!(password = CS expand_string(ob->spa_password))) ++if (!(password = expand_string(ob->spa_password))) + { + if (f.expand_string_forcedfail) return CANCELLED; + string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " +@@ -310,7 +309,7 @@ + } + + if (ob->spa_domain) +- if (!(domain = CS expand_string(ob->spa_domain))) ++ if (!(domain = expand_string(ob->spa_domain))) + { + if (f.expand_string_forcedfail) return CANCELLED; + string_format(buffer, buffsize, "expansion of \"%s\" failed in %s " +@@ -330,7 +329,7 @@ + + DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain); + +-spa_build_auth_request(&request, CS username, domain); ++spa_build_auth_request(&request, username, domain); + spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request)); + + DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf); +@@ -347,7 +346,7 @@ + DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4); + spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4)); + +-spa_build_auth_response(&challenge, &response, CS username, CS password); ++spa_build_auth_response(&challenge, &response, username, password); + spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response)); + DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf); + diff -Nru exim4-4.96/debian/patches/CVE-2023-42114.patch exim4-4.96/debian/patches/CVE-2023-42114.patch --- exim4-4.96/debian/patches/CVE-2023-42114.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.96/debian/patches/CVE-2023-42114.patch 2023-10-03 13:35:45.000000000 +0000 @@ -0,0 +1,77 @@ +From 04107e98d58efb69f7e2d7b81176e5374c7098a3 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 11 May 2023 21:08:08 +0100 +Subject: [PATCH 4/4] Auths: fix possible OOB read in SPA authenticator. Bug + 3001 + +--- + doc/doc-txt/ChangeLog | 3 +++ + src/src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++-------- + 2 files changed, 31 insertions(+), 8 deletions(-) + +Index: exim4-4.96/src/auths/auth-spa.c +=================================================================== +--- exim4-4.96.orig/src/auths/auth-spa.c 2023-10-03 14:35:21.123441831 +0100 ++++ exim4-4.96/src/auths/auth-spa.c 2023-10-03 14:35:21.123441831 +0100 +@@ -1252,15 +1252,10 @@ + } + + +-#define GetUnicodeString(structPtr, header) \ +-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) +-#define GetString(structPtr, header) \ +-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) +- + #ifdef notdef + + #define DumpBuffer(fp, structPtr, header) \ +-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) ++ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) + + + static void +@@ -1324,8 +1319,33 @@ + return buf; + } + ++static inline uschar * ++get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) ++{ ++int off = IVAL(&hdr->offset, 0); ++int len = SVAL(&hdr->len, 0); ++return off + len < sizeof(SPAAuthChallenge) ++ ? US unicodeToString(CS challenge + off, len/2) : US""; ++} ++ ++static inline uschar * ++get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) ++{ ++int off = IVAL(&hdr->offset, 0); ++int len = SVAL(&hdr->len, 0); ++return off + len < sizeof(SPAAuthChallenge) ++ ? US toString(CS challenge + off, len) : US""; ++} ++ + #ifdef notdef + ++#define GetUnicodeString(structPtr, header) \ ++ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) ++ ++#define GetString(structPtr, header) \ ++ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) ++ ++ + void + dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) + { +@@ -1495,8 +1515,8 @@ + } + + else domain = d = string_copy(cf & 0x1 +- ? CUS GetUnicodeString(challenge, uDomain) +- : CUS GetString(challenge, uDomain)); ++ ? CUS get_challenge_unistr(challenge, &challenge->uDomain) ++ : CUS get_challenge_str(challenge, &challenge->uDomain)); + + spa_smb_encrypt(password, challenge->challengeData, lmRespData); + spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); diff -Nru exim4-4.96/debian/patches/CVE-2023-42115.patch exim4-4.96/debian/patches/CVE-2023-42115.patch --- exim4-4.96/debian/patches/CVE-2023-42115.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.96/debian/patches/CVE-2023-42115.patch 2023-10-03 13:35:45.000000000 +0000 @@ -0,0 +1,24 @@ +From 7bb5bc2c6592e062bf0b514cc71afd2d93e2e0dd Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 11 May 2023 18:02:43 +0100 +Subject: [PATCH 1/4] Auths: fix possible OOB write in external authenticator. + Bug 2999 + +--- + doc/doc-txt/ChangeLog | 3 +++ + src/src/auths/external.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +Index: exim4-4.96/src/auths/external.c +=================================================================== +--- exim4-4.96.orig/src/auths/external.c 2023-10-03 14:35:25.851368574 +0100 ++++ exim4-4.96/src/auths/external.c 2023-10-03 14:35:25.847368634 +0100 +@@ -103,7 +103,7 @@ + if (ob->server_param2) + { + uschar * s = expand_string(ob->server_param2); +- auth_vars[expand_nmax] = s; ++ auth_vars[expand_nmax = 1] = s; + expand_nstring[++expand_nmax] = s; + expand_nlength[expand_nmax] = Ustrlen(s); + if (ob->server_param3) diff -Nru exim4-4.96/debian/patches/CVE-2023-42116.patch exim4-4.96/debian/patches/CVE-2023-42116.patch --- exim4-4.96/debian/patches/CVE-2023-42116.patch 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.96/debian/patches/CVE-2023-42116.patch 2023-10-03 13:35:45.000000000 +0000 @@ -0,0 +1,26 @@ +From e17b8b0f19b25a223b0cc41933b881c3a1073e61 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 11 May 2023 19:31:54 +0100 +Subject: [PATCH 3/4] Auths: fix possible OOB write in SPA authenticator. Bug + 3000 + +--- + doc/doc-txt/ChangeLog | 3 +++ + src/src/auths/auth-spa.c | 4 +++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +Index: exim4-4.96/src/auths/auth-spa.c +=================================================================== +--- exim4-4.96.orig/src/auths/auth-spa.c 2023-10-03 14:35:29.411316399 +0100 ++++ exim4-4.96/src/auths/auth-spa.c 2023-10-03 14:35:29.411316399 +0100 +@@ -1214,7 +1214,9 @@ + + #define spa_bytes_add(ptr, header, buf, count) \ + { \ +-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \ ++if ( buf && (count) != 0 /* we hate -Wint-in-bool-contex */ \ ++ && ptr->bufIndex + count < sizeof(ptr->buffer) \ ++ ) \ + { \ + SSVAL(&ptr->header.len,0,count); \ + SSVAL(&ptr->header.maxlen,0,count); \ diff -Nru exim4-4.96/debian/patches/series exim4-4.96/debian/patches/series --- exim4-4.96/debian/patches/series 2023-08-05 03:28:47.000000000 +0000 +++ exim4-4.96/debian/patches/series 2023-10-03 13:35:45.000000000 +0000 @@ -39,3 +39,7 @@ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch 90_localscan_dlopen.dpatch fix_smtp_banner.patch +CVE-2023-42114_15_16.patch +CVE-2023-42114.patch +CVE-2023-42115.patch +CVE-2023-42116.patch