oss-sec mailing list archives
CVE-2018-6789 Exim 4.90 and earlier: buffer overflow
From: Heiko Schlittermann <hs () schlittermann de>
Date: Wed, 7 Feb 2018 11:39:43 +0100
CVE-2018-6789 Exim 4.90 and earlier =================================== There is a buffer overflow in an utility function, if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible. A patch exists already and is being tested. Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known. Next steps: * t0: Distros will get access to our "security" non-public git repo (based on the SSH keys known to us) * t0 +7d: Patch will be published on the official public git repo t0 will be around 2018-02-08. Timeline -------- * 2018-02-05 Report from Meh Chang <meh () devco re> via exim-security mailing list * 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko) CVE-2018-6789 * 2018-02-07 Announcement to the public via exim-users, exim-maintainers mailing lists and on oss-security mailing list Updates will follow. Here and on https://exim.org/security/CVE-2018-6789.txt (Link will start to exist around 11.00 UTC). Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Attachment:
signature.asc
Description:
Current thread:
- CVE-2018-6789 Exim 4.90 and earlier: buffer overflow Heiko Schlittermann (Feb 07)
- Re: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow Heiko Schlittermann (Feb 08)
- Re: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow Heiko Schlittermann (Feb 08)
- Re: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow Ian Zimmerman (Feb 08)
- Re: Re: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow Heiko Schlittermann (Feb 08)
- Re: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow Heiko Schlittermann (Feb 10)
- Exim 4.90.1 released. (Was: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow) Heiko Schlittermann (Feb 10)
- Re: CVE-2018-6789 Exim 4.90 and earlier: buffer overflow Heiko Schlittermann (Feb 08)