2021-05-07 15:38:36 |
Ian Kelling |
bug |
|
|
added bug |
2021-05-07 16:07:37 |
Ian Kelling |
attachment added |
|
exim.patch https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1927755/+attachment/5495541/+files/exim.patch |
|
2021-05-07 16:31:29 |
Ian Kelling |
attachment added |
|
exim.patch https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1927755/+attachment/5495543/+files/exim.patch |
|
2021-05-18 17:18:48 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
2021-05-18 17:24:10 |
Steve Beattie |
exim4 (Ubuntu): status |
New |
Confirmed |
|
2021-05-18 20:31:28 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2021-05-18 20:31:37 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2021-05-19 16:58:50 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Ubuntu Server |
2021-05-19 17:10:52 |
Sergio Durigan Junior |
exim4 (Ubuntu): importance |
Undecided |
Low |
|
2021-08-03 10:18:30 |
Miriam España Acebal |
nominated for series |
|
Ubuntu Bionic |
|
2021-08-03 10:18:30 |
Miriam España Acebal |
bug task added |
|
exim4 (Ubuntu Bionic) |
|
2021-08-03 10:18:30 |
Miriam España Acebal |
nominated for series |
|
Ubuntu Hirsute |
|
2021-08-03 10:18:30 |
Miriam España Acebal |
bug task added |
|
exim4 (Ubuntu Hirsute) |
|
2021-08-03 10:18:30 |
Miriam España Acebal |
nominated for series |
|
Ubuntu Focal |
|
2021-08-03 10:18:30 |
Miriam España Acebal |
bug task added |
|
exim4 (Ubuntu Focal) |
|
2021-10-20 16:47:28 |
Bryce Harrington |
tags |
patch |
patch server-todo |
|
2021-10-20 16:47:37 |
Bryce Harrington |
exim4 (Ubuntu Bionic): importance |
Undecided |
Low |
|
2021-10-20 16:47:42 |
Bryce Harrington |
exim4 (Ubuntu Hirsute): importance |
Undecided |
Low |
|
2021-10-20 16:47:46 |
Bryce Harrington |
exim4 (Ubuntu Focal): importance |
Undecided |
Low |
|
2021-11-24 16:30:22 |
Bryce Harrington |
tags |
patch server-todo |
patch |
|
2022-05-24 12:40:04 |
Lucas Kanashiro |
exim4 (Ubuntu Hirsute): status |
New |
Won't Fix |
|
2022-07-28 02:34:25 |
Bryce Harrington |
cve linked |
|
2020-28007 |
|
2022-07-28 02:34:25 |
Bryce Harrington |
exim4 (Ubuntu): status |
Confirmed |
Fix Released |
|
2022-07-28 02:34:34 |
Bryce Harrington |
exim4 (Ubuntu Focal): status |
New |
Fix Released |
|
2022-07-28 02:34:41 |
Bryce Harrington |
exim4 (Ubuntu Hirsute): status |
Won't Fix |
Fix Released |
|
2022-07-28 03:28:40 |
Bryce Harrington |
attachment added |
|
Makefile https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1927755/+attachment/5605652/+files/Makefile |
|
2022-07-28 03:30:42 |
Bryce Harrington |
attachment added |
|
0051-CVE-2020-28007-Link-attack-in-Exim-s-log-directory.patch https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1927755/+attachment/5605654/+files/0051-CVE-2020-28007-Link-attack-in-Exim-s-log-directory.patch |
|
2022-07-28 03:30:54 |
Bryce Harrington |
exim4 (Ubuntu Bionic): status |
New |
Triaged |
|
2022-09-01 22:03:03 |
Bryce Harrington |
description |
./debian/patches/sec-202105/0051-CVE-2020-28007-Link-attack-in-Exim-s-log-directory.patch
Backport of:
From 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Tue, 23 Feb 2021 08:33:03 -0800
Subject: [PATCH 51/57] CVE-2020-28007: Link attack in Exim's log directory
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."
(cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd)
---
src/src/dmarc.c | 179 ++++++++++++++++++------------------
src/src/exim.c | 14 +--
src/src/functions.h | 3 +-
src/src/log.c | 214 ++++++++++++++++++++++++++++----------------
test/stderr/0397 | 6 +-
5 files changed, 234 insertions(+), 182 deletions(-)
dmarc.c is not used in the default build configuration, but the patch
is broken and causes a failed build when it is enabled.
An easy way to test this is to download the source package, edit
the source file src/EDITME:
-# EXPERIMENTAL_SPF=yes
-# CFLAGS += -I/usr/local/include
-# LDFLAGS += -lspf2
+EXPERIMENTAL_SPF=yes
+CFLAGS += -I/usr/local/include
+LDFLAGS += -lspf2
-# EXPERIMENTAL_DMARC=yes
-# DMARC_TLD_FILE= /etc/exim/opendmarc.tlds
-# CFLAGS += -I/usr/local/include
-# LDFLAGS += -lopendmarc
+EXPERIMENTAL_DMARC=yes
+DMARC_TLD_FILE= /etc/exim4/opendmarc.tlds
+CFLAGS += -I/usr/local/include
+LDFLAGS += -lopendmarc
and also:
apt install libopendmarc-dev libspf2-dev
Custom builds are actually supposed to be supported by editing special files,
README.Debian.html says:
"Additionally, the source package offers infrastructure to build your own custom-tailored exim4-daemon-custom which exactly fits your special local needs. The infrastructure to do so is already in place, see debian/rules for instructions. "
Unfortunately, anyone doing that to enable dmarc will have a failing build.
Trisquel enables dmarc in its build, and also failed its build when pulling the update.
Here is the end of the build output which shows the failure:
gcc dmarc.c
gcc -c -g -O2 -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -I/usr/local/include -I/usr/local/include -fvisibility=hidden -I. dmarc.c
dmarc.c: In function 'dmarc_send_forensic_report':
dmarc.c:166:47: warning: suggest parentheses around '&&' within '||' [-Wparentheses]
if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT
dmarc.c:168:47: warning: suggest parentheses around '&&' within '||' [-Wparentheses]
|| dmarc_policy == DMARC_POLICY_NONE && action == DMARC_RESULT_REJECT
dmarc.c:169:47: warning: suggest parentheses around '&&' within '||' [-Wparentheses]
|| dmarc_policy == DMARC_POLICY_NONE && action == DMARC_RESULT_QUARANTINE
dmarc.c: At top level:
dmarc.c:211:1: error: static declaration of 'dmarc_write_history_file' follows non-static declaration
dmarc_write_history_file()
^~~~~~~~~~~~~~~~~~~~~~~~
In file included from dmarc.c:22:0:
dmarc.h:26:5: note: previous declaration of 'dmarc_write_history_file' was here
int dmarc_write_history_file();
^~~~~~~~~~~~~~~~~~~~~~~~
dmarc.c: In function 'dmarc_write_history_file':
dmarc.c:265:25: error: 'f' undeclared (first use in this function)
(host_checking || f.running_in_test_harness) ? " (not really)" : "");
^
dmarc.c:265:25: note: each undeclared identifier is reported only once for each function it appears in
Makefile:811: recipe for target 'dmarc.o' failed
make[3]: *** [dmarc.o] Error 1
make[3]: Leaving directory '/nocow/t/bionic-exim/exim4-4.90.1/b-exim4-daemon-heavy/build-Linux-x86_64'
Makefile:35: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory '/nocow/t/bionic-exim/exim4-4.90.1/b-exim4-daemon-heavy'
debian/rules:111: recipe for target 'override_dh_auto_build' failed
make[1]: *** [override_dh_auto_build] Error 2
make[1]: Leaving directory '/nocow/t/bionic-exim/exim4-4.90.1'
debian/rules:293: recipe for target 'build' failed
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
debuild: fatal error at line 1152:
dpkg-buildpackage -rfakeroot -us -uc -ui -b failed |
[Impact]
This is a regression in bionic's exim4 caused by the introduction of a CVE fix last year. It prevents users from accessing custom functionality from the shipped package when reconfiguring/rebuilding.
[Test Case]
To reproduce the build failure on bionic:
1. Save this file to Local/Makefile, to enable building dmarc.c
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1927755/+attachment/5605652/+files/Makefile
2. cp exim_monitor/EDITME Local/eximon.conf
3. sudo apt-get install -y exim4 libopendmarc-dev libspf2-dev
4. sudo apt-get build-dep -y exim4
5. make
(It should build successfully at this point since patches aren't applied)
6. quilt push -a
make
This should fail.
[Where problems could occur]
This change modifies a CVE patch, so the obvious concern would be if this invalidates the CVE. Mitigating this concern is that the change itself was suggested by a Ubuntu server team member, and that the change is isolated to code that is not even compiled for the stock package provided by bionic.
Since this affects code we don't compile, if the fix is incorrect for some reason, our regular CI won't detect it. So bugs related to custom compilation of bionic's exim4 could potentially be worth watching for.
[Original Report]
./debian/patches/sec-202105/0051-CVE-2020-28007-Link-attack-in-Exim-s-log-directory.patch
Backport of:
From 93e9a18fbf09deb59bd133986f4c89aeb2d2d86a Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Tue, 23 Feb 2021 08:33:03 -0800
Subject: [PATCH 51/57] CVE-2020-28007: Link attack in Exim's log directory
We patch this vulnerability by opening (instead of just creating) the
log file in an unprivileged (exim) child process, and by passing this
file descriptor back to the privileged (root) parent process. The two
functions log_send_fd() and log_recv_fd() are inspired by OpenSSH's
functions mm_send_fd() and mm_receive_fd(); thanks!
This patch also fixes:
- a NULL-pointer dereference in usr1_handler() (this signal handler is
installed before process_log_path is initialized);
- a file-descriptor leak in dmarc_write_history_file() (two return paths
did not close history_file_fd).
Note: the use of log_open_as_exim() in dmarc_write_history_file() should
be fine because the documentation explicitly states "Make sure the
directory of this file is writable by the user exim runs as."
(cherry picked from commit 2502cc41d1d92c1413eca6a4ba035c21162662bd)
---
src/src/dmarc.c | 179 ++++++++++++++++++------------------
src/src/exim.c | 14 +--
src/src/functions.h | 3 +-
src/src/log.c | 214 ++++++++++++++++++++++++++++----------------
test/stderr/0397 | 6 +-
5 files changed, 234 insertions(+), 182 deletions(-)
dmarc.c is not used in the default build configuration, but the patch
is broken and causes a failed build when it is enabled.
An easy way to test this is to download the source package, edit
the source file src/EDITME:
-# EXPERIMENTAL_SPF=yes
-# CFLAGS += -I/usr/local/include
-# LDFLAGS += -lspf2
+EXPERIMENTAL_SPF=yes
+CFLAGS += -I/usr/local/include
+LDFLAGS += -lspf2
-# EXPERIMENTAL_DMARC=yes
-# DMARC_TLD_FILE= /etc/exim/opendmarc.tlds
-# CFLAGS += -I/usr/local/include
-# LDFLAGS += -lopendmarc
+EXPERIMENTAL_DMARC=yes
+DMARC_TLD_FILE= /etc/exim4/opendmarc.tlds
+CFLAGS += -I/usr/local/include
+LDFLAGS += -lopendmarc
and also:
apt install libopendmarc-dev libspf2-dev
Custom builds are actually supposed to be supported by editing special files,
README.Debian.html says:
"Additionally, the source package offers infrastructure to build your own custom-tailored exim4-daemon-custom which exactly fits your special local needs. The infrastructure to do so is already in place, see debian/rules for instructions. "
Unfortunately, anyone doing that to enable dmarc will have a failing build.
Trisquel enables dmarc in its build, and also failed its build when pulling the update.
Here is the end of the build output which shows the failure:
gcc dmarc.c
gcc -c -g -O2 -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -I/usr/local/include -I/usr/local/include -fvisibility=hidden -I. dmarc.c
dmarc.c: In function 'dmarc_send_forensic_report':
dmarc.c:166:47: warning: suggest parentheses around '&&' within '||' [-Wparentheses]
if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT
dmarc.c:168:47: warning: suggest parentheses around '&&' within '||' [-Wparentheses]
|| dmarc_policy == DMARC_POLICY_NONE && action == DMARC_RESULT_REJECT
dmarc.c:169:47: warning: suggest parentheses around '&&' within '||' [-Wparentheses]
|| dmarc_policy == DMARC_POLICY_NONE && action == DMARC_RESULT_QUARANTINE
dmarc.c: At top level:
dmarc.c:211:1: error: static declaration of 'dmarc_write_history_file' follows non-static declaration
dmarc_write_history_file()
^~~~~~~~~~~~~~~~~~~~~~~~
In file included from dmarc.c:22:0:
dmarc.h:26:5: note: previous declaration of 'dmarc_write_history_file' was here
int dmarc_write_history_file();
^~~~~~~~~~~~~~~~~~~~~~~~
dmarc.c: In function 'dmarc_write_history_file':
dmarc.c:265:25: error: 'f' undeclared (first use in this function)
(host_checking || f.running_in_test_harness) ? " (not really)" : "");
^
dmarc.c:265:25: note: each undeclared identifier is reported only once for each function it appears in
Makefile:811: recipe for target 'dmarc.o' failed
make[3]: *** [dmarc.o] Error 1
make[3]: Leaving directory '/nocow/t/bionic-exim/exim4-4.90.1/b-exim4-daemon-heavy/build-Linux-x86_64'
Makefile:35: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory '/nocow/t/bionic-exim/exim4-4.90.1/b-exim4-daemon-heavy'
debian/rules:111: recipe for target 'override_dh_auto_build' failed
make[1]: *** [override_dh_auto_build] Error 2
make[1]: Leaving directory '/nocow/t/bionic-exim/exim4-4.90.1'
debian/rules:293: recipe for target 'build' failed
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
debuild: fatal error at line 1152:
dpkg-buildpackage -rfakeroot -us -uc -ui -b failed |
|
2022-09-06 06:34:15 |
Bryce Harrington |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/exim4/+git/exim4/+merge/429330 |
|
2022-09-08 00:00:06 |
Bryce Harrington |
exim4 (Ubuntu Bionic): assignee |
|
Bryce Harrington (bryce) |
|
2022-09-08 00:00:08 |
Bryce Harrington |
exim4 (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2022-09-14 14:36:51 |
Robie Basak |
exim4 (Ubuntu Bionic): status |
Fix Committed |
Won't Fix |
|
2022-09-14 15:52:37 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |