File CVE-2019-10149.patch of Package exim.openSUSE_Leap_15.1_Update
commit d740d2111f189760593a303124ff6b9b1f83453d
Author: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon May 27 21:57:31 2019 +0100
Fix CVE-2019-10149
diff --git a/doc/cve-2019-10149 b/doc/cve-2019-10149
new file mode 100644
index 00000000..4a9d3fb6
--- /dev/null
+++ b/doc/cve-2019-10149
@@ -0,0 +1,36 @@
+CVE-2019-10149 Exim 4.87 to 4.91
+================================
+
+We received a report of a possible remote exploit. Currently there is no
+evidence of an active use of this exploit.
+
+A patch exists already, is being tested, and backported to all
+versions we released since (and including) 4.87.
+
+The severity depends on your configuration. It depends on how close to
+the standard configuration your Exim runtime configuration is. The
+closer the better.
+
+Exim 4.92 is not vulnerable.
+
+Next steps:
+
+* t0: Distros will get access to our non-public security Git repo
+ (access is granted based on the SSH keys that are known to us)
+
+* t0+7d: Coordinated Release Date: Distros should push the patched
+ version to their repos. The Exim maintainers will publish
+ the fixed source to the official and public Git repo.
+
+t0 is expected to be 2019-06-04, 10:00 UTC
+t0+7d is expected to be 2019-06-11, 10:00 UTC
+
+
+Timeline
+--------
+
+* 2019-05-27 Report from Qualys to exim-security list
+* 2019-05-27 Patch provided by Jeremy Harris
+* 2019-05-29 CVE-2019-10149 assigned from Qualys via RedHat
+* 2019-06-03 This announcement
+* 2019-06-04 10:00 UTC Grant access to the non-public security Git repo
diff --git a/src/deliver.c b/src/deliver.c
index 59256ac2..45cc0723 100644
--- a/src/deliver.c
+++ b/src/deliver.c
@@ -6227,17 +6227,23 @@ if (process_recipients != RECIP_IGNORE)
{
uschar * save_local = deliver_localpart;
const uschar * save_domain = deliver_domain;
+ uschar * addr = new->address, * errmsg = NULL;
+ int start, end, dom;
- deliver_localpart = expand_string(
- string_sprintf("${local_part:%s}", new->address));
- deliver_domain = expand_string(
- string_sprintf("${domain:%s}", new->address));
+ if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "failed to parse address '%.100s': %s\n", addr, errmsg);
+ else
+ {
+ deliver_localpart =
+ string_copyn(addr+start, dom ? (dom-1) - start : end - start);
+ deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
- (void) event_raise(event_action,
- US"msg:fail:internal", new->message);
+ event_raise(event_action, US"msg:fail:internal", new->message);
- deliver_localpart = save_local;
- deliver_domain = save_domain;
+ deliver_localpart = save_local;
+ deliver_domain = save_domain;
+ }
}
#endif
}
