CVE-2011-1764: format string vulnerability

Bug #779391 reported by Felix Geyer on 2011-05-08
280
This bug affects 4 people
Affects Status Importance Assigned to Milestone
exim
Fix Released
Unknown
exim4 (Debian)
Fix Released
Unknown
exim4 (Ubuntu)
Medium
Kees Cook
Lucid
Medium
Kees Cook
Maverick
Medium
Kees Cook
Natty
Medium
Kees Cook
Oneiric
Medium
Kees Cook

Bug Description

Binary package hint: exim4

From http://www.debian.org/security/2011/dsa-2232

> It was discovered that Exim, the default mail transport agent in Debian, uses DKIM data obtain from DNS directly in a format string, potentially allowing malicious mail senders to execute arbitrary code. (CVE-2011-1764)

Felix Geyer (debfx) on 2011-05-08
visibility: private → public
Kees Cook (kees) on 2011-05-08
Changed in exim4 (Ubuntu):
status: New → Triaged
Changed in exim:
status: Unknown → Fix Released
Felix Geyer (debfx) wrote :

Affects lucid - oneiric (exim4 >= 4.70).

Felix Geyer (debfx) wrote :

Fix for oneiric by merging 4.75-3 from Debian.

Felix Geyer (debfx) wrote :

debdiff for lucid

Kees Cook (kees) wrote :

Just as a note, due to Ubuntu's default compiler flags[1], this vulnerability is "only" a denial-of-service and does not seem to result in arbitrary code execution.

[1] https://wiki.ubuntu.com/CompilerFlags

Kees, are you sure about compiler flags helping? Exim's string_vformat is a separate builtin implementation.

Kees Cook (kees) wrote :

AAaargh. Who reimplements sprintf!? I am working on hardy and dapper now. Will have this uploaded shortly. Thanks for double-checking and getting the Lucid and Oneiric patches ready!

At least full ASLR (PIE[1]) is in place in Lucid and later, so exploiting this is difficult, but not impossible.

[1] https://wiki.ubuntu.com/Security/Features#pie

Kees Cook (kees) wrote :

Er, nevermind, DKIM was added after Hardy.

Changed in exim4 (Ubuntu Lucid):
status: New → Fix Committed
Changed in exim4 (Ubuntu Maverick):
status: New → Fix Committed
Changed in exim4 (Ubuntu Natty):
status: New → Fix Committed
Changed in exim4 (Ubuntu Oneiric):
status: Triaged → In Progress
Changed in exim4 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Natty):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Lucid):
assignee: nobody → Kees Cook (kees)
Changed in exim4 (Ubuntu Maverick):
assignee: nobody → Kees Cook (kees)
Changed in exim4 (Ubuntu Natty):
assignee: nobody → Kees Cook (kees)
Changed in exim4 (Ubuntu Oneiric):
assignee: nobody → Kees Cook (kees)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.74-1ubuntu1.1

---------------
exim4 (4.74-1ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #779391)
    - debian/patches/85_CVE-2011-1764.patch: patch from upstream
    - CVE-2011-1764
 -- Felix Geyer <email address hidden> Sun, 08 May 2011 15:31:05 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.72-1ubuntu1.2

---------------
exim4 (4.72-1ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #779391)
    - debian/patches/85_CVE-2011-1764.patch: patch from upstream
    - CVE-2011-1764
 -- Kees Cook <email address hidden> Mon, 09 May 2011 16:51:44 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.71-3ubuntu1.2

---------------
exim4 (4.71-3ubuntu1.2) lucid-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #779391)
    - debian/patches/85_CVE-2011-1764.patch: patch from upstream
    - CVE-2011-1764
 -- Felix Geyer <email address hidden> Sun, 08 May 2011 15:31:05 +0200

Changed in exim4 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in exim4 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in exim4 (Ubuntu Natty):
status: Fix Committed → Fix Released
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.76-1ubuntu1

---------------
exim4 (4.76-1ubuntu1) oneiric; urgency=low

  * Merge from debian unstable. Remaining changes (LP: #779391):
    - debian/control: Don't declare a Provides: default-mta; in Ubuntu,
      we want postfix to be the default.

exim4 (4.76-1) unstable; urgency=low

  * New upstream version.
  * Drop 80_match_isinlist.diff (included upstream).

exim4 (4.76~RC1-3) experimental; urgency=low

  * 80_match_isinlist.diff pulled from upstream git.

exim4 (4.76~RC1-2) experimental; urgency=low

  * Fix testsuite error.
  * Disable verification of DKIM signatures if DC_minimaldns or the (newly
    added) DISABLE_DKIM_VERIFY macro are set. Closes: #609764
  * [lintian] Drop useless comments from debian/watch.

exim4 (4.76~RC1-1) experimental; urgency=low

  * New upstream version.
  * Drop superfluous patches. 80_ldap_require_cert-work.diff
    81_negatebool.diff 82_dkimpercent.diff
  * [Lintian] Fix grammar error in manpage (spelling-error-in-manpage
    update-exim4defaults.8.gz allows to allows one to).
  * [debian/minimaltest]: Added. Try to run a minimal functionality test after
    building exim. (Currently only supported if the build-system has a
    Debian-exim user.)

exim4 (4.75-3) unstable; urgency=high

  * [debian/rules] Fix dependencies and targets, speeding up package build.
    Previously everything was compiled twice.
  * Patches pulled from upstream git:
    +81_negatebool.diff Negating the $bool expansion condition did not work.
    +82_dkimpercent.diff dkim sig logged to paniclog. Closes: #624670
     (CVE-2011-1764)
 -- Stephane Graber <email address hidden> Mon, 23 May 2011 12:37:30 -0400

Changed in exim4 (Ubuntu Oneiric):
status: In Progress → Fix Released
Changed in exim4 (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.