Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set

[Ben Hutchings]

Control: severity -1 important
Control: retitle -1 NEWS doesn't clearly explain config changes needed for 
CVE-2016-1531

On Wed, 2016-03-16 at 19:39 +0100, Andreas Metzler wrote:
> On 2016-03-16 Ben Hutchings  wrote:
> > 
> > Control: severity -1 serious
> > Control: tag -1 moreinfo
> > 
> > Upgrading severity.  I consider this release-critical because a package
> > should never:
> > 
> > 1. Send spurious error messages from its cron job
> > 2. Recommend changing the configuration in a way that would undo a
> > security fix
> Hello,
> 
> the situation is this:
> 
> * Upstream made a change (cleaning the environment by default) that in
>   their opinion could break existing systems. There is not a magic
>   switch that can be thrown to fix this. The safe default value (empty
>   environment) is exactly what causes the breakage. To point
>   admininistrators of failing system in the right direction exim prints
>   a warning when keep_environment is not set.
>
> * Afaik the Debian config works fine with empty environment which is why
>   we have added an explicit 'keep_environment=" to prevent the runtime
>   warning.

This is all good.

> * Otoh if you are running a custom configuration you will get
>   the warning exactly as upstream has intended and you will need to
>   decide whether you need to modify the environment. This also applies
>   to configuration based on the Debian configuration. - You'll need to
>   look at the configuration and decide whether modifying the runtime
>   environment is necessary. (You'll get a dpkg confile prompt and need
>   to merge the changes.)

The warning isn't really very clear, though.

> * In addition there is an entry in exim4-config.NEWS.

I saw that, but it also wasn't that clear about what changes were
needed.

> I am basically out of bright ideas on how to improve things from here.
> The whole thing is trade-off, on one side now some people get a warning
> message without experincing real breakage, on the other side if I patched
> out the warning message some people would just see a broken e-mail
> service without the helpful hint. Being in doubt I trusted upstream's
> choice.
> 
> See http://article.gmane.org/gmane.mail.exim.devel/9142 and following.

Please expand the NEWS item to say that if you have a custom
configuration you *must* update it, and also refer to
https://exim.org/s
tatic/doc/CVE-2016-1531.txt which briefly explains the new variables.

Ben.

-- 
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.

signature.asc
Description: This is a digitally signed message part

Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set

[Ben Hutchings]

On Wed, 2016-03-16 at 17:41 +0100, Andreas Metzler wrote:
[...]
> exim4 (4.84.2-1)'s says this in
> 
> a) debian/changelog
>   * Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new
>  options. Set "keep_environment =" by default to avoid a runtime warning.
>  Bump exim4-config Breaks to exim4-daemon-* (<< 4.84.2).
[...]

This belongs in NEWS, not just changelog.

Ben.

-- 
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.

signature.asc
Description: This is a digitally signed message part

Processed: Re: Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set

[Debian Bug Tracking System]

Processing control commands:

> severity -1 important
Bug #818349 [exim4-base] exim4-base: Still warns about purging the environment, 
even with add_environment set
Severity set to 'important' from 'serious'
> retitle -1 NEWS doesn't clearly explain config changes needed for 
> CVE-2016-1531
Bug #818349 [exim4-base] exim4-base: Still warns about purging the environment, 
even with add_environment set
Changed Bug title to 'NEWS doesn't clearly explain config changes needed for 
CVE-2016-1531' from 'exim4-base: Still warns about purging the environment, 
even with add_environment set'

-- 
818349: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818349
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set

[Andreas Metzler]

On 2016-03-16 Matthew Vernon  wrote:
> Package: exim4-base
> Version: 4.84.2-1
> Severity: important

> Hi,

> I upgraded my jessie systems to 4.84.2-1 and added an add_environment
> setting thus:
> add_environment = <; PATH=/bin:/usr/bin

> The upstream advisory says:

> "If both options are not used in the configuration, Exim issues a
> warning on startup. This warning disappears if at least one of these
> options is used (even if set to an empty value)."

> Yet:
> root@mws-priv-21:~# /usr/sbin/exim4 -bP | grep environment
> LOG: MAIN
>   Warning: purging the environment.
>  Suggested action: use keep_environment.
> add_environment = <; PATH=/bin:/usr/bin
> keep_environment = 

> This is clearly not the correct behaviour, and I'm getting a lot of
> cron mail :-(

Hello,

exim4 (4.84.2-1)'s says this in

a) debian/changelog
  * Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new
 options. Set "keep_environment =" by default to avoid a runtime warning.
 Bump exim4-config Breaks to exim4-daemon-* (<< 4.84.2).
[...]
Upstream followups on the CVE fix (Thanks, Heiko Schlittermann!):
[...]
+ Runtime warning is only generated if (and only if) keep_environment
   is unset and environment is nonempty.

b) /usr/share/doc/exim4-base/spec.txt.gz
 Current versions of Exim issue a warning during startup if you do not mention
 keep_environment in your runtime configuration file and if there is
 anything in your environment. Future versions may not issue that warning
 anymore.

So, this is documented behavior, pulling an enhancement for  the issue
from upstream.

cu Andreas

Bug#818349: exim4-base: Still warns about purging the environment, even with add_environment set

[Andreas Metzler]

On 2016-03-16 Ben Hutchings  wrote:
> Control: severity -1 serious
> Control: tag -1 moreinfo

> Upgrading severity.  I consider this release-critical because a package
> should never:

> 1. Send spurious error messages from its cron job
> 2. Recommend changing the configuration in a way that would undo a
> security fix

Hello,

the situation is this:

* Upstream made a change (cleaning the environment by default) that in
  their opinion could break existing systems. There is not a magic
  switch that can be thrown to fix this. The safe default value (empty
  environment) is exactly what causes the breakage. To point
  admininistrators of failing system in the right direction exim prints
  a warning when keep_environment is not set.

* Afaik the Debian config works fine with empty environment which is why
  we have added an explicit 'keep_environment=" to prevent the runtime
  warning.

* Otoh if you are running a custom configuration you will get
  the warning exactly as upstream has intended and you will need to
  decide whether you need to modify the environment. This also applies
  to configuration based on the Debian configuration. - You'll need to
  look at the configuration and decide whether modifying the runtime
  environment is necessary. (You'll get a dpkg confile prompt and need
  to merge the changes.)

* In addition there is an entry in exim4-config.NEWS.

I am basically out of bright ideas on how to improve things from here.
The whole thing is trade-off, on one side now some people get a warning
message without experincing real breakage, on the other side if I patched
out the warning message some people would just see a broken e-mail
service without the helpful hint. Being in doubt I trusted upstream's
choice.

See http://article.gmane.org/gmane.mail.exim.devel/9142 and following.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'