It took me a while to figure this out, but now I found a way how this can be reproduced:
Use netcat to connect to Exim on port 25 and send the following line: EHLO [IPv4:192.168.0.1%15] Exim replies with 421 Unexpected failure, please try later And the message mentioned earlier can be found in the paniclog. While working on figuring this out, I also found out why this only happens with certain strings (and thus is so rare), and how this bug got introduced (spoiler: it happened when backporting a security patch from a newer Exim release): This happens because string_is_ip_address is called from check_helo in smtp_in.c. However, the bug is only triggered when the string passed to the string_is_ip_addressX function contains a percent sign (or in certain cases a foward slash, but this is not relevant in the context of check_helo, because maskp is not set, and thus a foward slash causes string_is_ip_addressX to quit early). The call to string_is_ip_address is only made by check_helo if the HELO string starts with [ and ends with ] (so the bug can also be triggered with “[%]”. I believe that the bug was introduced with CVE-2023-42117.patch. This patch replaced string_is_ip_address with string_is_ip_addressX back- ported from a newer version of Exim. I suspect that either the problem got fixed upstream before an official release was made, or it got caught later and was then fixed in a subsequent release (indicated by the fact, that the code now looks different upstream). However, this fix never got included in the patch for Ubuntu, which explains why it still exists there. Because this is only triggered by very specific strings in the EHLO / HELO SMTP command, it is seen so rarely. ** CVE added: https://cve.org/CVERecord?id=CVE-2023-42117 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2152830 Title: Taint mismatch, Ustrncpy: string_is_ip_addressX 110 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/2152830/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
