[exim.git] / doc / doc-txt / cve-2019-16928 / cve.txt

CVE ID:     CVE-2019-16928
Date:       2019-09-27 (CVE assigned)
Version(s): from 4.92 up to and including 4.92.2
Reporter:   QAX-A-TEAM <areuu@outlook.com>
Reference:  https://bugs.exim.org/show_bug.cgi?id=2449
Issue:      Heap-based buffer overflow in string_vformat,
            remote code execution seems to be possible

Conditions to be vulnerable
===========================

All versions from (and including) 4.92 up to (and including) 4.92.2 are
vulnerable.

Details
=======

There is a heap-based buffer overflow in string_vformat (string.c).
The currently known exploit uses a extraordinary long EHLO string to
crash the Exim process that is receiving the message. While at this
mode of operation Exim already dropped its privileges, other paths to
reach the vulnerable code may exist.

Mitigation
==========

There is - beside updating the server - no known mitigation.

Fix
===

Download and build the fixed version 4.92.3

    Tarballs: https://ftp.exim.org/pub/exim/exim4/
    Git:      https://github.com/Exim/exim.git
              - tag    exim-4.92.3
              - branch exim-4.92.3+fixes

The tagged commit is the officially released version. The +fixes branch
isn't officially maintained, but contains the security fix *and* useful
fixes.

If you can't install the above versions, ask your package maintainer for
a version containing the backported fix. On request and depending on our
resources we will support you in backporting the fix.  (Please note,
the Exim project officially doesn't support versions prior the current
stable version.)

Timeline
=========

- 2019-09-27    Report as Bug 2499
- 2019-09-28    Announcement to exim-maintainers, oss-security
- 2019-09-28    Release 4.92.3, Release-Announcements to
                exim-{announce,users,maintainers}, oss-security
Commit	Line	Data
e101dc5c JH	1	CVE ID: CVE-2019-16928
	2	Date: 2019-09-27 (CVE assigned)
	3	Version(s): from 4.92 up to and including 4.92.2
	4	Reporter: QAX-A-TEAM <areuu@outlook.com>
	5	Reference: https://bugs.exim.org/show_bug.cgi?id=2449
	6	Issue: Heap-based buffer overflow in string_vformat,
	7	remote code execution seems to be possible
	8
	9	Conditions to be vulnerable
	10	===========================
	11
	12	All versions from (and including) 4.92 up to (and including) 4.92.2 are
	13	vulnerable.
	14
	15	Details
	16	=======
	17
	18	There is a heap-based buffer overflow in string_vformat (string.c).
	19	The currently known exploit uses a extraordinary long EHLO string to
	20	crash the Exim process that is receiving the message. While at this
	21	mode of operation Exim already dropped its privileges, other paths to
	22	reach the vulnerable code may exist.
	23
	24	Mitigation
	25	==========
	26
	27	There is - beside updating the server - no known mitigation.
	28
	29	Fix
	30	===
	31
e39f19e0 HSHR	32	Download and build the fixed version 4.92.3
	33
	34	Tarballs: https://ftp.exim.org/pub/exim/exim4/
	35	Git: https://github.com/Exim/exim.git
	36	- tag exim-4.92.3
	37	- branch exim-4.92.3+fixes
	38
	39	The tagged commit is the officially released version. The +fixes branch
	40	isn't officially maintained, but contains the security fix and useful
	41	fixes.
	42
	43	If you can't install the above versions, ask your package maintainer for
	44	a version containing the backported fix. On request and depending on our
	45	resources we will support you in backporting the fix. (Please note,
	46	the Exim project officially doesn't support versions prior the current
	47	stable version.)
	48
	49	Timeline
	50	=========
	51
	52	- 2019-09-27 Report as Bug 2499
	53	- 2019-09-28 Announcement to exim-maintainers, oss-security
	54	- 2019-09-28 Release 4.92.3, Release-Announcements to
	55	exim-{announce,users,maintainers}, oss-security