Ubuntu
exim4 package

CVE-2011-1764: format string vulnerability

Bug #779391 reported by Felix Geyer
280
This bug affects 4 people
Affects Status Importance Assigned to Milestone
exim
Fix Released
Unknown
exim4 (Debian)
Fix Released
Unknown
exim4 (Ubuntu)
Fix Released
Medium
Kees Cook
Lucid
Fix Released
Medium
Kees Cook
Maverick
Fix Released
Medium
Kees Cook
Natty
Fix Released
Medium
Kees Cook
Oneiric
Fix Released
Medium
Kees Cook

Bug Description

Binary package hint: exim4

From http://www.debian.org/security/2011/dsa-2232

> It was discovered that Exim, the default mail transport agent in Debian, uses DKIM data obtain from DNS directly in a format string, potentially allowing malicious mail senders to execute arbitrary code. (CVE-2011-1764)

Tags: patch
Revision history for this message
In , Suresh Ramasubramanian (suresh-hserus) wrote :

Email from John Levine below - says it all I think.

thanks
--srs

-------- Original Message --------
Subject: Re: dkim plugin in exim 4.72 doesnt seem to like your signature ..
Date: 29 Apr 2011 10:50:50 -0400
From: John R. Levine <email address hidden>
To: Suresh Ramasubramanian <email address hidden>

It's a buglet in exim, which seems to be misinterpreting percent signs as printf codes or something.

In DKIM signatures, percent signs aren't special.

On Fri, 29 Apr 2011, Suresh Ramasubramanian wrote:

> 2011-04-29 02:34:28 1QFk5k-0003Ry-NL string_format: unsupported type in
> "%i" in "DKIM: d=iecc.com s=4330.4db9faa9.k1104 c=simple/simple
> a=rsa-sha256 i=spamfighter%<email address hidden> [verification
> succeeded]"
> 2011-04-29 03:06:34 1QFkao-0003VB-Lv string_format: unsupported type in
> "%i" in "DKIM: d=iecc.com s=4330.4db9faa9.k1104 c=simple/simple
> a=rsa-sha256 i=spamfighter%<email address hidden> [verification
> succeeded]"
> 2011-04-29 03:37:32 1QFl4m-0003Xa-C0 string_format: unsupported type in
> "%i" in "DKIM: d=iecc.com s=4330.4db9faa9.k1104 c=simple/simple
> a=rsa-sha256 i=spamfighter%<email address hidden> [verification
> succeeded]"
>
> etc
>
>

Regards,
John Levine, <email address hidden>, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

Revision history for this message
In , Tom Kistner (tom-duncanthrax) wrote :

Thanks Suresh, fix is pushed.

Revision history for this message
In , Git-p (git-p) wrote :

Git commit: http://git.exim.org/exim.git/commitdiff/337e3505b0e6cd4309db6bf6062b33fa56e06cf8

commit 337e3505b0e6cd4309db6bf6062b33fa56e06cf8
Author: Tom Kistner <email address hidden>
AuthorDate: Sat Apr 30 13:20:17 2011 +0100
Commit: Tom Kistner <email address hidden>
CommitDate: Sat Apr 30 13:20:17 2011 +0100

    Bugzilla #1106: Don't pass DKIM compound log line as format string
---
 src/src/dkim.c | 4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/src/dkim.c b/src/src/dkim.c
index e25ff8c..2318cc3 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -108,7 +108,7 @@ void dkim_exim_verify_finish(void) {
     /* Log a line for each signature */
     uschar *logmsg = string_append(NULL, &size, &ptr, 5,

- string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
+ string_sprintf( "d=%s s=%s c=%s/%s a=%s ",
                       sig->domain,
                       sig->selector,
                       (sig->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
@@ -176,7 +176,7 @@ void dkim_exim_verify_finish(void) {
     }

     logmsg[ptr] = '\0';
- log_write(0, LOG_MAIN, (char *)logmsg);
+ log_write(0, LOG_MAIN, "DKIM: %s", logmsg);

     /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
     dkim_signers = string_append(dkim_signers,

Felix Geyer (debfx)
visibility: private → public
Kees Cook (kees)
Changed in exim4 (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in exim:
status: Unknown → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :

Affects lucid - oneiric (exim4 >= 4.70).

Revision history for this message
Felix Geyer (debfx) wrote :

Fix for oneiric by merging 4.75-3 from Debian.

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for lucid

Revision history for this message
Kees Cook (kees) wrote :

Just as a note, due to Ubuntu's default compiler flags[1], this vulnerability is "only" a denial-of-service and does not seem to result in arbitrary code execution.

[1] https://wiki.ubuntu.com/CompilerFlags

Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

Kees, are you sure about compiler flags helping? Exim's string_vformat is a separate builtin implementation.

Revision history for this message
Kees Cook (kees) wrote :

AAaargh. Who reimplements sprintf!? I am working on hardy and dapper now. Will have this uploaded shortly. Thanks for double-checking and getting the Lucid and Oneiric patches ready!

At least full ASLR (PIE[1]) is in place in Lucid and later, so exploiting this is difficult, but not impossible.

[1] https://wiki.ubuntu.com/Security/Features#pie

Revision history for this message
Kees Cook (kees) wrote :

Er, nevermind, DKIM was added after Hardy.

Changed in exim4 (Ubuntu Lucid):
status: New → Fix Committed
Changed in exim4 (Ubuntu Maverick):
status: New → Fix Committed
Changed in exim4 (Ubuntu Natty):
status: New → Fix Committed
Changed in exim4 (Ubuntu Oneiric):
status: Triaged → In Progress
Changed in exim4 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Natty):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Lucid):
assignee: nobody → Kees Cook (kees)
Changed in exim4 (Ubuntu Maverick):
assignee: nobody → Kees Cook (kees)
Changed in exim4 (Ubuntu Natty):
assignee: nobody → Kees Cook (kees)
Changed in exim4 (Ubuntu Oneiric):
assignee: nobody → Kees Cook (kees)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.74-1ubuntu1.1

---------------
exim4 (4.74-1ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #779391)
    - debian/patches/85_CVE-2011-1764.patch: patch from upstream
    - CVE-2011-1764
 -- Felix Geyer <email address hidden> Sun, 08 May 2011 15:31:05 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.72-1ubuntu1.2

---------------
exim4 (4.72-1ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #779391)
    - debian/patches/85_CVE-2011-1764.patch: patch from upstream
    - CVE-2011-1764
 -- Kees Cook <email address hidden> Mon, 09 May 2011 16:51:44 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.71-3ubuntu1.2

---------------
exim4 (4.71-3ubuntu1.2) lucid-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #779391)
    - debian/patches/85_CVE-2011-1764.patch: patch from upstream
    - CVE-2011-1764
 -- Felix Geyer <email address hidden> Sun, 08 May 2011 15:31:05 +0200

Changed in exim4 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in exim4 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in exim4 (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
In , Exim-bugs (exim-bugs) wrote :

Just for the records: This bug is CVE-2011-1764
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1764

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.76-1ubuntu1

---------------
exim4 (4.76-1ubuntu1) oneiric; urgency=low

  * Merge from debian unstable. Remaining changes (LP: #779391):
    - debian/control: Don't declare a Provides: default-mta; in Ubuntu,
      we want postfix to be the default.

exim4 (4.76-1) unstable; urgency=low

  * New upstream version.
  * Drop 80_match_isinlist.diff (included upstream).

exim4 (4.76~RC1-3) experimental; urgency=low

  * 80_match_isinlist.diff pulled from upstream git.

exim4 (4.76~RC1-2) experimental; urgency=low

  * Fix testsuite error.
  * Disable verification of DKIM signatures if DC_minimaldns or the (newly
    added) DISABLE_DKIM_VERIFY macro are set. Closes: #609764
  * [lintian] Drop useless comments from debian/watch.

exim4 (4.76~RC1-1) experimental; urgency=low

  * New upstream version.
  * Drop superfluous patches. 80_ldap_require_cert-work.diff
    81_negatebool.diff 82_dkimpercent.diff
  * [Lintian] Fix grammar error in manpage (spelling-error-in-manpage
    update-exim4defaults.8.gz allows to allows one to).
  * [debian/minimaltest]: Added. Try to run a minimal functionality test after
    building exim. (Currently only supported if the build-system has a
    Debian-exim user.)

exim4 (4.75-3) unstable; urgency=high

  * [debian/rules] Fix dependencies and targets, speeding up package build.
    Previously everything was compiled twice.
  * Patches pulled from upstream git:
    +81_negatebool.diff Negating the $bool expansion condition did not work.
    +82_dkimpercent.diff dkim sig logged to paniclog. Closes: #624670
     (CVE-2011-1764)
 -- Stephane Graber <email address hidden> Mon, 23 May 2011 12:37:30 -0400

Changed in exim4 (Ubuntu Oneiric):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in exim4 (Debian):
status: Unknown → Fix Released
Revision history for this message
In , Simon-marchi-y (simon-marchi-y) wrote :

Maybe I can check it and also apply for that. Hope it is useful. http://embermanchester.uk

Maybe I can check it and also apply for that. Hope it is useful
http://www.compilatori.com

Maybe I can check it and also apply for that. Hope it is useful
http://www.wearelondonmade.com

    Maybe I can check it and also apply for that. Hope it is useful
http://www.jopspeech.com

   Maybe I can check it and also apply for that. Hope it is useful
http://joerg.li/

 Maybe I can check it and also apply for that. Hope it is useful
http://connstr.net/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.slipstone.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.logoarts.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.acpirateradio.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful
https://waytowhatsnext.com/

 Maybe I can check it and also apply for that. Hope it is useful
https://www.webb-dev.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.iu-bloomington.com/

 Maybe I can check it and also apply for that. Hope it is useful
http://www-look-4.com/

 Maybe I can check it and also apply for that. Hope it is useful
https://komiya-dental.com/

 Maybe I can check it and also apply for that. Hope it is useful
https://www.arborconsult.space/

 Maybe I can check it and also apply for that. Hope it is useful
http://fishingnewsletters.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.go-mk-websites.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.mconstantine.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful
http://the-hunters.org/

 Maybe I can check it and also apply for that. Hope it is useful
http://rhee.tech/

 Maybe I can check it and also apply for that. Hope it is useful
https://texastourgear.live/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.i-obchody.info/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.caviastal-ruan.nl/

 Maybe I can check it and also apply for that. Hope it is useful
http://www.dotkraft.com/

 Maybe I can check it and also apply for that. Hope it is useful

 Maybe I can check it and also apply for that. Hope it is useful
http://www.hildyphotography.com/

 Maybe I can check it and also apply for that. Hope it is useful
http://illustratedmind.pl/

 Maybe I can check it and also apply for that. Hope it is useful
http://ammko.pl/

 Maybe I can check it and also apply for that. Hope it is useful Maybe I can check it and also apply for that. http://www.jindorescue.org/

  Hope it is useful Maybe I can check it and also apply for that. Hope it is useful Maybe http://www.pistoneforcongress.net/

  I can check it and also apply for that. Hope it is useful Maybe I can check it and also apply http://ruirui.store/

  for that. Hope it is useful Maybe I can check it and also apply for that. Hope it is useful Maybe I can http://www.foamhands.store/

  check it and also apply for that. Hope it is useful

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.