(2) noted that the exploit via dnsdb/ptr lookup was already fortuitously
fixed by a previous change.
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.57 2004/12/22 12:05:45 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.58 2004/12/29 10:16:52 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
Change log file for Exim from version 4.21
-------------------------------------------
55. Some experimental protocols are using DNS PTR records for new purposes. The
keys for these records are domain names, not reversed IP addresses. The
55. Some experimental protocols are using DNS PTR records for new purposes. The
keys for these records are domain names, not reversed IP addresses. The
- dnsdb lookup now tests whether it's key is an IP address. If not, it leaves
- it alone. Component reversal etc. now happens only for IP addresses.
+ dnsdb PTR lookup now tests whether its key is an IP address. If not, it
+ leaves it alone. Component reversal etc. now happens only for IP addresses.
56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP.
56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP.
(2) The default for smtp_banner uses $smtp_active_hostname instead
of $primary_hostname.
(2) The default for smtp_banner uses $smtp_active_hostname instead
of $primary_hostname.
+60. The host_aton() function is supposed to be passed a string that is known
+ to be a valid IP address. However, in the case of IPv6 addresses, it was
+ not checking this. This is a hostage to fortune. Exim now panics and dies
+ if the condition is not met. A case was found where this could be provoked
+ from a dnsdb lookup; fortuitously, this particular loophole had already
+ been fixed by change 4.50/55 above. If there are any other similar
+ loopholes, the new check should stop them being exploited.
+
Exim version 4.43
-----------------
Exim version 4.43
-----------------
-$Cambridge: exim/doc/doc-txt/NewStuff,v 1.23 2004/12/22 12:05:45 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/NewStuff,v 1.24 2004/12/29 10:16:52 ph10 Exp $
New Features in Exim
--------------------
New Features in Exim
--------------------
19. The Exiscan patch is now merged into the main source. See src/EDITME for
parameters for the build.
19. The Exiscan patch is now merged into the main source. See src/EDITME for
parameters for the build.
-20. If the key for a dnsdb lookup is not an IP address, it is used verbatim,
- without component reversal and without the addition of in-addr.arpa or
- ip6.arpa.
+20. If the key for a dnsdb PTR lookup is not an IP address, it is used
+ verbatim, without component reversal and without the addition of
+ in-addr.arpa or ip6.arpa.
21. Two changes related to the smtp_active_hostname option:
21. Two changes related to the smtp_active_hostname option:
-/* $Cambridge: exim/src/src/host.c,v 1.3 2004/11/18 11:17:33 ph10 Exp $ */
+/* $Cambridge: exim/src/src/host.c,v 1.4 2004/12/29 10:16:53 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
/*************************************************
* Exim - an Internet mail transport agent *
- /* Split the address into components separated by colons. */
+ /* Split the address into components separated by colons. The input address
+ is supposed to be checked for syntax. There was a case where this was
+ overlooked; to guard against that happening again, check here and crash if
+ there is a violation. */
while (*p != 0)
{
int len = Ustrcspn(p, ":");
if (len == 0) nulloffset = ci;
while (*p != 0)
{
int len = Ustrcspn(p, ":");
if (len == 0) nulloffset = ci;
+ if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+ address);
component[ci++] = p;
p += len;
if (*p == ':') p++;
component[ci++] = p;
p += len;
if (*p == ':') p++;