subject:"\[exim\-dev\] \[Bug 2235\] New\: CVE\-2018\-6789"

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

2018-02-14 Thread Jeremy Harris via Exim-dev

On 14/02/18 10:58, Jakob Hirsch via Exim-dev wrote:
> Anyway, I wonder why we need two base64 decoding functions. Sure, they
> serve different purposes, but the inner parts mostly do the same (apart
> from error handling). Shouldn't we consolidate this?

> Any objections?

Consolidation is good, so long as we're assured that the definition
of the base-64 method being used in the two cases is the same.
I think there's more than one alphabet in common use, for different
purposes...  But if this turns out to be the case, perhaps a merged
routine could handle either.

Some microbenchmarking wouldn't go amiss, along with the usual
regression testing.
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

2018-02-14 Thread Jakob Hirsch via Exim-dev


Hi,


+  int l = Ustrlen(code);
+  *ptr = result = store_get(1 + l/4 * 3 + l%4);


An easier (or at least shorter) fix would have been

uschar *result = store_get((Ustrlen(code)+1)*3/4 + 1);

Anyway, I wonder why we need two base64 decoding functions. Sure, they 
serve different purposes, but the inner parts mostly do the same (apart 
from error handling). Shouldn't we consolidate this? This surely would 
require some rework (e.g. the state needs to be saved between b64decode 
calls for robust mime decoding), but I guess it's worth the time to have 
cleaner code.
I would surely prefer the decoding loop from mime_decode_base64 over the 
one in b64encode, not only because it's much shorter (20 lines vs. 50) 
and very much easier to read (I highly doubt the claims of b64encode 
"written out in a straightforward way" and "compact loop is messy"). 
Note that I might be a little biased here, as most of mime_decode_base64 
was written by me :)


Any objections?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

2018-02-12 Thread Heiko Schlittermann via Exim-dev

Phil Pennock  (Di 13 Feb 2018 00:08:50 CET):
> On 2018-02-09 at 15:32 +, Vsevolod Stakhov via Exim-dev wrote:
> > It seems that FreeBSD is no longer considered in CVE early disclosure,
> > isn't it?
> 
> There has been no change from Exim's side in how this was communicated.
> We have an exim-maintainers mailing-list which has vetted people from
> any interested OS project as members and that list received early

The early notification was sent to oss-security@,

> notification.  I strongly suspect that the OpenWall distros mailing-list
> received early notification (but am not on that list and haven't asked
> Heiko; I only saw the public notifications on oss-security later).

The notification on oss-security he got, I think. But not my poll about
cutting the embargo, that was sent to linux-distros only. I'm sorry for
that.

It was my fault.  I accidently didn't post to distros@vs.openwall… but to
linux-distros@vs.openwall… (Autocompletion in the mailclient :(

I didn't resent it to distros then, because I decided to cut the embargo
and to sent a public notification about it to oss-security.

Via personal mail we had some communication and Vsevolod got access to
the security repo (he alread had access, but missed the notificion on
oss-security somehow). Kurt Jäger contacted me after the first
notification to oss-security was sent, and I told him, that we have Vsevolod in
the list of keys for the security repo. That was fine for him.

-- 
Heiko

signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

2018-02-12 Thread Phil Pennock via Exim-dev

On 2018-02-09 at 15:32 +, Vsevolod Stakhov via Exim-dev wrote:
> It seems that FreeBSD is no longer considered in CVE early disclosure,
> isn't it?

There has been no change from Exim's side in how this was communicated.
We have an exim-maintainers mailing-list which has vetted people from
any interested OS project as members and that list received early
notification.  I strongly suspect that the OpenWall distros mailing-list
received early notification (but am not on that list and haven't asked
Heiko; I only saw the public notifications on oss-security later).

Our process is documented at:
  https://github.com/Exim/exim/wiki/SecurityReleaseProcess

So: we have a documented process, we have resources for OS folks to use,
nothing has changed here.  If FreeBSD had missed the notification, then
that's unfortunate.  I don't think I've done anything special in the
past to notify you beyond our documented process.  If I did, then that's
on me for not documenting it for Heiko (or having any recollection of it
now).

What would you like us to have done differently?
-Phil

signature.asc
Description: Digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

2018-02-12 Thread Vsevolod Stakhov via Exim-dev

On 09.02.2018 09:40, ad...@bugs.exim.org wrote:
> https://bugs.exim.org/show_bug.cgi?id=2235
> 
> Bug ID: 2235
>Summary: CVE-2018-6789
>Product: Exim
>Version: 4.90
>   Hardware: All
> OS: All
> Status: NEW
>   Severity: security
>   Priority: medium
>  Component: Unfiled
>   Assignee: ni...@exim.org
>   Reporter: h...@schlittermann.de
> CC: exim-dev@exim.org
> 
> Buffer overflow. RCE might be possible using a handcrafted message. Bug is
> fixed already and distros have access to the fixed versions since 2018-02-08
> 17:00 UTC.

It seems that FreeBSD is no longer considered in CVE early disclosure,
isn't it?



signature.asc
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2235] New: CVE-2018-6789

2018-02-09 Thread admin

https://bugs.exim.org/show_bug.cgi?id=2235

Bug ID: 2235
   Summary: CVE-2018-6789
   Product: Exim
   Version: 4.90
  Hardware: All
OS: All
Status: NEW
  Severity: security
  Priority: medium
 Component: Unfiled
  Assignee: ni...@exim.org
  Reporter: h...@schlittermann.de
CC: exim-dev@exim.org

Buffer overflow. RCE might be possible using a handcrafted message. Bug is
fixed already and distros have access to the fixed versions since 2018-02-08
17:00 UTC.

This fixed should be cherry-picked onto the master branch as soon as it is
public.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

[exim-dev] [Bug 2235] New: CVE-2018-6789

6 matches

Site Navigation

Mail list logo

Footer information