Package: exim4-config
Version: 4.99.1-3
Severity: minor
Dear Maintainer,
I was greeping the sample config and found the following:
# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username =
'${quote_pgsql:$auth1}'}{$value}fail}
(seen in /etc/exim4/conf.d/auth/30_exim4-config_examples)
While this initially looks good it is not because ${quote_pgsql uses
escape-string quoting while modern versions (since 10 years) of postgresql
use standard conforming strings by default. (this setting changes the
backslash to be an ordinary character)
https://www.postgresql.org/docs/9.3/runtime-config-compatible.html#GUC-STANDARD-CONFORMING-STRINGS
https://www.postgresql.org/docs/9.3/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-ESCAPE
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECID72
fortunately the mitigation for this flaw is trivial. prefix the string
with an "e", like this:
# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username =
e'${quote_pgsql:$auth1}'}{$value}fail}
-- Package-specific info:
Exim version 4.99.1-S2G #2 built 28-Dec-2025 06:06:41
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2025
Hints DB:
Using sqlite3
Support for: Content_Scanning Local_Scan Exim_filter Sieve_filter crypteq
Expand_dlfunc iconv() IPv6 PAM Perl GnuTLS move_frozen_messages TLS_resume DANE
DKIM DNSSEC ESMTP_Limits ESMTP_Wellknown Event I18N OCSP PIPECONNECT PRDR PROXY
Queue_Ramp SOCKS SPF SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 passwd pgsql redis spf sqlite
Authenticators (built-in): cram_md5 cyrus_sasl dovecot external plaintext spa
tls
Routers (built-in): accept dnslookup ipliteral iplookup manualroute redirect
queryprogram
Transports (built-in): appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is
/etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.43+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8),
LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages exim4-config depends on:
ii adduser 3.152
ii debconf [debconf-2.0] 1.5.91
Versions of packages exim4-config recommends:
ii ca-certificates 20250419
exim4-config suggests no packages.
-- Configuration Files:
/etc/exim4/conf.d/auth/30_exim4-config_examples changed [not included]
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions changed [not included]
/etc/exim4/conf.d/retry/30_exim4-config changed [not included]
/etc/exim4/conf.d/router/850_exim4-config_lowuid changed [not included]
/etc/exim4/conf.d/transport/30_exim4-config_mail_spool changed [not included]
/etc/exim4/passwd.client [Errno 13] Permission denied:
'/etc/exim4/passwd.client'
-- debconf information excluded
