oss-sec mailing list archives
Re: Exim < 4.95 heap overflow
From: Roxana Bradescu <roxabee () chromium org>
Date: Sun, 7 Aug 2022 08:39:59 -0700
Adding the Exim security folks to this thread to shed some light on the original report and CVE discussion. Per their https://github.com/Exim/exim/wiki/SecurityReleaseProcess they email this group and distros to notify of security issues. They will also issue CVEs. However I don’t actually see any CVE issued since 2019 https://github.com/Exim/exim/wiki/EximSecurity —- Regards, Roxana On Sun, Aug 7, 2022 at 6:49 AM John Helmert III <ajak () gentoo org> wrote:
On Sat, Aug 06, 2022 at 10:46:42PM +0300, Evgeny Legerov wrote:Hi, Here is another bug which has been silently fixed in Exim. It has not been recognized as a security issue, many distros still don't have this patch.Why do you say it hasn't been recognized as a security issue? Distros don't usually have a way of knowing about a vulnerability that needs patching without a CVE. Have you requested a CVE?Original report + patch is here -https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743 That commit does not seem like an original report.Analysis of the bug - https://github.com/ivd38/exim_overflow I don't post here because it is huge snippet of code. regards, -e
Current thread:
- Exim < 4.95 heap overflow Evgeny Legerov (Aug 06)
- Re: Exim < 4.95 heap overflow John Helmert III (Aug 07)
- Re: Exim < 4.95 heap overflow Roxana Bradescu (Aug 07)
- Re: [Exim-Security] [oss-security] Exim < 4.95 heap overflow Graeme Fowler (Aug 10)
- Re: [Exim-Security] [oss-security] Exim < 4.95 heap overflow Roxana Bradescu (Aug 12)
- Re: Exim < 4.95 heap overflow Roxana Bradescu (Aug 07)
- Re: Exim < 4.95 heap overflow John Helmert III (Aug 07)
- Re: Exim < 4.95 heap overflow Stuart Henderson (Aug 07)