Re: [exim] CVE-2018-6789 Exim 4.90 and earlier: buffer overflow

[Heiko Schlittermann via Exim-users]

Heiko Schlittermann  (Mi 07 Feb 2018 11:39:43 CET):
> CVE-2018-6789 Exim 4.90 and earlier
> ===
….
> Next steps:
> 
> * t0: Distros will get access to our "security" non-public git repo
>   (based on the SSH keys known to us)
> * t0 +7d: Patch will be published on the official public git repo
 
t0 was 2018-02-08 17:00 UTC

We need to cut the time for the distros and we'll release the patch to
the public today.

2018-02-10 18:00 UTC

Sorry for the inconvenience, thank you for understanding and for using
Exim.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2018-6789 Exim 4.90 and earlier: buffer overflow

[Heiko Schlittermann via Exim-users]

Heiko Schlittermann  (Mi 07 Feb 2018 11:39:43 CET):
> CVE-2018-6789 Exim 4.90 and earlier
> ===
> 
> There is a buffer overflow in an utility function, if some pre-conditions
> are met.  Using a handcrafted message, remote code execution seems to be
> possible.
> 
> A patch exists already and is being tested.
> 
> Currently we're unsure about the severity, we *believe*, an exploit
> is difficult. A mitigation isn't known.
> 
> Next steps:
> 
> * t0: Distros will get access to our "security" non-public git repo
>   (based on the SSH keys known to us)
> * t0 +7d: Patch will be published on the official public git repo
> 
> t0 will be around 2018-02-08.

t0 is now. Distro maintainers please use the following repos URLs:


The full git repo:

ssh://g...@exim.org/exim.git 
tag: exim-4_90_1

The tarballs git repo:

ssh://g...@exim.org/exim-packages.git
tag: exim-4_90_1

The tags are signed with my key¹, as are the tarballs and my own
commits.

¹) If you get a warning about my key being expired, please refresh it
from the keyservers or from
https://ssl.schlittermann.de/keys/gpg/h...@schlittermann.de/F69376CE.asc

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] CVE-2018-6789 Exim 4.90 and earlier: buffer overflow

[Heiko Schlittermann via Exim-users]

CVE-2018-6789 Exim 4.90 and earlier
===

There is a buffer overflow in an utility function, if some pre-conditions
are met.  Using a handcrafted message, remote code execution seems to be
possible.

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.

Next steps:

* t0: Distros will get access to our "security" non-public git repo
  (based on the SSH keys known to us)
* t0 +7d: Patch will be published on the official public git repo

t0 will be around 2018-02-08.

Timeline


* 2018-02-05 Report from Meh Chang  via exim-security mailing 
list
* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
 CVE-2018-6789
* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
 mailing lists and on oss-security mailing list

Updates will follow. Here and on https://exim.org/security/CVE-2018-6789.txt
(Link will start to exist around 11.00 UTC).

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/