Exim: 4.83 Released, CVE-2014-2972 fix

[Phil Pennock <oss-security-phil () spodhuis org>]

Attached should be two emails from one of my fellow Exim maintainers,
Todd, who has driven the past couple of releases and done the bulk of
the coordination for this CVE.

Our thanks, once more, to Rack911 and Cpanel.

-Phil, pdp () exim org
> --- Begin Message ---
>
>
> From: Todd Lyons <tlyons () exim org>
>
> Date: Tue, 22 Jul 2014 15:59:49 +0100
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>  have uploaded Exim 4.83 to:
> ftp://ftp.exim.org/pub/exim/exim4/
>
> This release of Exim includes one incompatible fix: the behavior of
> expansion of arguments to math comparison functions (<, <=, =, =>, >)
> was unexpected, expanding the values twice. This fix also addresses a
> security advisory, CVE-2014-2972. This is not a remote exploit, but if
> content that is searched by the above math comparison functions is under
> the control of an attacker, specially crafted data can be inserted that
> will cause the Exim mail server to perform various file-system functions
> as the exim user.
>
> This release contains the following enhancements and bugfixes:
> + PRDR was promoted from Experimental to mainline
> + OCSP Stapling was promoted from Experimental to mainline
> + new Experimental feature Proxy Protocol
> + new Experimental feature DSN (Delivery Status Notifications)
> + TLS session improvements
> + TLS SNI fixes
> + LDAP enhancements
> + DMARC fixes (previous CVE-2014-2957) and new $dmarc_domain_policy
> + several new operations (listextract, utf8clean, md5, sha1)
> + enforce header formatting with verify=header_names_ascii
> + new commandline option -oMm
> + new TLSA dns lookup
> + new malware "sock" type
> + cutthrough routing enhancements
> + logging enhancements
> + DNSSEC enhancements
> + exiqgrep enhancements
> + deprecating non-standard SPF results
> + build and portability fixes
> + documentation fixes and enhancements
>
> The ChangeLog/NewStuff/README.UPDATING are packaged with the exim
> tarball or can be reviewed online at:
>
> http://git.exim.org/exim.git/blob/exim-4_83:/doc/doc-txt/ChangeLog
> http://git.exim.org/exim.git/blob/exim-4_83:/doc/doc-txt/NewStuff
> http://git.exim.org/exim.git/blob/exim-4_83:/src/README.UPDATING
>
> The files are signed with the PGP key 0x04D29EBA, which has a uid
> "Todd Lyons (Exim Maintainer) <tlyons () exim org>". Please use your own
> discretion in assessing what trust paths you might have to this uid.
>
> Checksums are below. Detached PGP signatures in .asc files are available
> alongside the tarballs.
>
> Please report issues by replying to this email on exim-users.
>
> Thank you for your patronage,
> - ---Todd Lyons, pp The Exim Maintainers
>
> SHA256(exim-4.83.tar.bz2) = efa031b89ffb2ab844a4bf9d3a5d7ca4d587d82b62ae233d68c4f26e079a6a02
> SHA256(exim-4.83.tar.bz2.asc) = 1d7c4cd0e3714244904f31e5b690226d258c5f8ef32c9a344ef662f05fcb8a73
> SHA256(exim-4.83.tar.gz) = 200880381fdd1b2ce36e49b9c9bcc8b57008ff02084b87d31c6ff9867e9fea06
> SHA256(exim-4.83.tar.gz.asc) = 91ef599c66df5661ca018116e7ca7408e57d22f9d3c0b7e6c465951a878ae044
> SHA256(exim-html-4.83.tar.bz2) = d7b38922f2aedd9eb4db7aa0e1e1c0fcd948777a4c8bac7971eaf4b2959bf0de
> SHA256(exim-html-4.83.tar.bz2.asc) = 9d20439e8c1f6c25cb120fe9e7ecc689c513bf5607ebd80e07a511a8def8d5a1
> SHA256(exim-html-4.83.tar.gz) = a58e077170225efe78cadcedd4bc1d66d34c87a5581ee597e0634e475e1f60ab
> SHA256(exim-html-4.83.tar.gz.asc) = c7bfb22f2df14af4f5e058138f347d3868c5d8b0c366ca26fe3b3a16b0c66cb3
> SHA256(exim-pdf-4.83.tar.bz2) = 478fca2c13fbda403fb0c373dc61e82aa434e7167c0341f24b83195afd294b82
> SHA256(exim-pdf-4.83.tar.bz2.asc) = fc01512d0be78b1412be0abcb0a204afa5ab46a8b45bc9396ded364d1ddc0e00
> SHA256(exim-pdf-4.83.tar.gz) = 8f5e31e4b8c1fa8e402f6e0baf24350df916d78bfa888a4a6b435d0853766b2e
> SHA256(exim-pdf-4.83.tar.gz.asc) = 3203916a6fe142f258e69e8c2361df40b9b3b67bbbe8bb34de58e17597acc517
> SHA256(exim-postscript-4.83.tar.bz2) = 7f8ef825a832debdab54173bfb4e86acaaa6eb139a64e8b87a785183354375cf
> SHA256(exim-postscript-4.83.tar.bz2.asc) = ff13e6e5799a98336b3953045f1348aab1f9e52b9d0da2b0fbe909a22d264a40
> SHA256(exim-postscript-4.83.tar.gz) = 9f184baee80875caa4d27b15495500afc4eae44f275b63b170dcccc3cdf19769
> SHA256(exim-postscript-4.83.tar.gz.asc) = 31171cba3aac6205abf08f122154a6d8a84c12763ccf0a78719ab3af9356c86d
>
> - -- 
> Regards...              Todd
> All truth passes through three stages. First, it is ridiculed. Second,
> it is violently opposed. Third, it is accepted as being self-evident.
> Linux kernel 2.6.16.27-0.9-smp   load average: 0.63, 0.78, 0.70
> To: 
> Cc: 
> Bcc: 
> Subject: 
> Reply-To: 
> Organization: exim.org Exim MTA Developers
>
>
> - -- 
> Regards...              Todd
> I've visited conferences where the wireless LAN was deemed "secure" by
> the organisation because they had outlawed sniffers.    --Neils Bakker
> Linux kernel 2.6.16.27-0.9-smp   load average: 0.61, 0.48, 0.42
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iEYEARECAAYFAlPOfGQACgkQxPT5SATSnrr+4gCdGc7PMVxAhNQmTU9WVTwqN8s9
> xNwAoJRDcXxeNZgYhS7ByNGEGt7HsXPh
> =Abf5
> -----END PGP SIGNATURE-----
>
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
> --- End Message ---
> --- Begin Message ---
>
>
> From: Todd Lyons <tlyons () exim org>
>
> Date: Tue, 22 Jul 2014 16:24:52 +0100
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Exim developers want to inform you of a local vulnerability in Exim.
> Exploitability requires the ability to provide unsanitised data to a
> data source used by Exim for looking up a value, and the impact is the
> ability to get a string expansion done as the Exim runtime user (so, run
> commands, etc) because in a certain scenario, there's a
> double-expansion, so it's equivalent to the result of the data being
> "eval"d again. This bug was discovered by Patrick William of Rack911,
> and reported to us by the Cpanel Security Team. Exploitation using this
> method was discovered by penetration testing; it was not observed in the
> wild. This security advisory has been assigned CVE-2014-2972.
>
> We would like to publicly thank Rack911 and Cpanel for responsibly
> notifying the Exim developers with a description of the problem
> and coordinating their release of software fixes with ours. Appearing so
> close to the end of the release cycle allowed us to handle the issue
> with relative ease.
>
> This is not a remote exploit. It requires a user account on a server
> where Exim is configured to do lookups against files to which the user
> has edit access. As such, this does not require a Security Release, so
> we will proceed with the regular release cycle.
>
> The root cause of this issue is the arguments to mathematical comparison
> operations are expanded twice (<, <=, >, >=, =).  The intent of the
> original code was the first expansion could (for example) lookup an item
> from a file. The assumption was that entry would be some form of valid
> integer so that value was then passed to the expand function again to do
> a numeric conversion of values such as 19k or 45M to integers.  However,
> if the content of the lookup is under direct user control, they could
> insert something with an expansion, such as:
>   ${run {/bin/touch /tmp/OUCH}}
> Since the data is not sanitized when the second expansion occurs
> (intended to process numerical conversion), that command would get
> executed as the exim user.
>
> We Exim developers agree this behavior is a bug in Exim because it is
> expected that an argument to a function will only be expanded once. As
> such, we have a patch which will be applied to 4.83 when it is
> officially released on Tue which will modify this behavior: for math
> based comparisons, the arguments are only expanded once, followed by a
> numeric only conversion. This is changing a behavior that has been
> present in Exim since the original code was committed in 2004.
>
> Regards,
> - - -- Todd Lyons, pp The Exim Maintainers.
>
> - -- 
> Regards...              Todd
> Linux kernel 2.6.16.27-0.9-smp   load average: 0.45, 0.71, 0.94
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iEYEARECAAYFAlPOgkMACgkQxPT5SATSnrrJbQCg3Cw6RCwuRqmRjI2X2uLV0Lho
> 6DQAn3gJK9Bo0JYEhkP3bM4OgJSqM4EX
> =wsZV
> -----END PGP SIGNATURE-----
>
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
> --- End Message ---

Attachment: _bin
Description: