Re: [exim-dev] [Bug 2235] New: CVE-2018-6789
On 14/02/18 10:58, Jakob Hirsch via Exim-dev wrote: > Anyway, I wonder why we need two base64 decoding functions. Sure, they > serve different purposes, but the inner parts mostly do the same (apart > from error handling). Shouldn't we consolidate this? > Any objections? Consolidation is good, so long as we're assured that the definition of the base-64 method being used in the two cases is the same. I think there's more than one alphabet in common use, for different purposes... But if this turns out to be the case, perhaps a merged routine could handle either. Some microbenchmarking wouldn't go amiss, along with the usual regression testing. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2235] New: CVE-2018-6789
Hi, + int l = Ustrlen(code); + *ptr = result = store_get(1 + l/4 * 3 + l%4); An easier (or at least shorter) fix would have been uschar *result = store_get((Ustrlen(code)+1)*3/4 + 1); Anyway, I wonder why we need two base64 decoding functions. Sure, they serve different purposes, but the inner parts mostly do the same (apart from error handling). Shouldn't we consolidate this? This surely would require some rework (e.g. the state needs to be saved between b64decode calls for robust mime decoding), but I guess it's worth the time to have cleaner code. I would surely prefer the decoding loop from mime_decode_base64 over the one in b64encode, not only because it's much shorter (20 lines vs. 50) and very much easier to read (I highly doubt the claims of b64encode "written out in a straightforward way" and "compact loop is messy"). Note that I might be a little biased here, as most of mime_decode_base64 was written by me :) Any objections? -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2235] New: CVE-2018-6789
Phil Pennock(Di 13 Feb 2018 00:08:50 CET): > On 2018-02-09 at 15:32 +, Vsevolod Stakhov via Exim-dev wrote: > > It seems that FreeBSD is no longer considered in CVE early disclosure, > > isn't it? > > There has been no change from Exim's side in how this was communicated. > We have an exim-maintainers mailing-list which has vetted people from > any interested OS project as members and that list received early The early notification was sent to oss-security@, > notification. I strongly suspect that the OpenWall distros mailing-list > received early notification (but am not on that list and haven't asked > Heiko; I only saw the public notifications on oss-security later). The notification on oss-security he got, I think. But not my poll about cutting the embargo, that was sent to linux-distros only. I'm sorry for that. It was my fault. I accidently didn't post to distros@vs.openwall… but to linux-distros@vs.openwall… (Autocompletion in the mailclient :( I didn't resent it to distros then, because I decided to cut the embargo and to sent a public notification about it to oss-security. Via personal mail we had some communication and Vsevolod got access to the security repo (he alread had access, but missed the notificion on oss-security somehow). Kurt Jäger contacted me after the first notification to oss-security was sent, and I told him, that we have Vsevolod in the list of keys for the security repo. That was fine for him. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2235] New: CVE-2018-6789
On 2018-02-09 at 15:32 +, Vsevolod Stakhov via Exim-dev wrote: > It seems that FreeBSD is no longer considered in CVE early disclosure, > isn't it? There has been no change from Exim's side in how this was communicated. We have an exim-maintainers mailing-list which has vetted people from any interested OS project as members and that list received early notification. I strongly suspect that the OpenWall distros mailing-list received early notification (but am not on that list and haven't asked Heiko; I only saw the public notifications on oss-security later). Our process is documented at: https://github.com/Exim/exim/wiki/SecurityReleaseProcess So: we have a documented process, we have resources for OS folks to use, nothing has changed here. If FreeBSD had missed the notification, then that's unfortunate. I don't think I've done anything special in the past to notify you beyond our documented process. If I did, then that's on me for not documenting it for Heiko (or having any recollection of it now). What would you like us to have done differently? -Phil signature.asc Description: Digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2235] New: CVE-2018-6789
On 09.02.2018 09:40, ad...@bugs.exim.org wrote: > https://bugs.exim.org/show_bug.cgi?id=2235 > > Bug ID: 2235 >Summary: CVE-2018-6789 >Product: Exim >Version: 4.90 > Hardware: All > OS: All > Status: NEW > Severity: security > Priority: medium > Component: Unfiled > Assignee: ni...@exim.org > Reporter: h...@schlittermann.de > CC: exim-dev@exim.org > > Buffer overflow. RCE might be possible using a handcrafted message. Bug is > fixed already and distros have access to the fixed versions since 2018-02-08 > 17:00 UTC. It seems that FreeBSD is no longer considered in CVE early disclosure, isn't it? signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2235] New: CVE-2018-6789
https://bugs.exim.org/show_bug.cgi?id=2235 Bug ID: 2235 Summary: CVE-2018-6789 Product: Exim Version: 4.90 Hardware: All OS: All Status: NEW Severity: security Priority: medium Component: Unfiled Assignee: ni...@exim.org Reporter: h...@schlittermann.de CC: exim-dev@exim.org Buffer overflow. RCE might be possible using a handcrafted message. Bug is fixed already and distros have access to the fixed versions since 2018-02-08 17:00 UTC. This fixed should be cherry-picked onto the master branch as soon as it is public. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##