[Bug 679] New: Problems with vacation_reply
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
[Bug 679] New: Problems with vacation_reply
by Bugzilla from m.cetler@komunix.pl
::
Rate this Message:
------- You are receiving this mail because: -------
You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=679 Summary: Problems with vacation_reply Product: Exim Version: 4.66 Platform: x86 URL: http://www.komunix.pl OS/Version: FreeBSD Status: NEW Severity: security Priority: critical Component: Transports AssignedTo: nigel@... ReportedBy: m.cetler@... CC: exim-dev@... There seem to be memory leak in vacation_reply transport. My configuration is: vacation_reply: driver = autoreply from = System automatycznej odpowiedzi <${local_part}@${domain}> once = /var/mail/vacation/vacation-$local_part@$domain.db once_repeat = 1d subject = ${if def:h_Subject: {Re: ${quote:${escape:${length_50:$h_Subject:}}} (autoreply)} {Informacja} } headers = "MIME-Version: 1.0\nContent-Type: text/plain; charset=iso-8859-2\nContent-Transfer-Encoding: 8bit" text = "\ Witaj $h_from\n\n\ Ta wiadomość została wygenerowana automatycznie\n\ Tekst poniżej zawiera informację od użytkownika:\n\ ====================================================\n\n\ ${lookup mysql {SELECT a.Wiadomosc FROM autoreply a,domeny d, users u WHERE a.loginid = u.id AND a.domenaid=d.id AND u.login='${local_part}' AND d.nazwa='${domain}'}}" group = exim to = "$sender_address" which means that exim should write database information to /var/mail/vacation/vacation-$local_part@$domain.db which it does. The problem is that exim writes way too many information to this file. For example I can find my encrypted root password inside this file. I belive this is critical security issue which should be fixed as soon as possible. It would be possible to read this file after getting exim privileges and then brute-force users passwords. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ## |
|
|
[Bug 679] Problems with vacation_reply
by Bugzilla from nigel@exim.org
::
Rate this Message:
------- You are receiving this mail because: -------
You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=679 --- Comment #1 from Nigel Metheringham <nigel@...> 2008-03-05 13:39:28 --- I think this is likely to be down to the db library working with an unclean (ie not zeroed) page of memory. Almost definitely not an exim fault. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ## |
|
|
[Bug 679] Problems with vacation_reply
by Bugzilla from m.cetler@komunix.pl
::
Rate this Message:
------- You are receiving this mail because: -------
You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=679 Maciej Cetler <m.cetler@...> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.cetler@... --- Comment #2 from Maciej Cetler <m.cetler@...> 2008-03-05 13:44:46 --- The problem exists in this line: subject = ${if def:h_Subject: {Re: ${quote:${escape:${length_50:$h_Subject:}}} (autoreply)} {Informacja} } exactly in length_50. If the subject has less then 50 bytes it puts some chunks of memory inside it. How to check if this is database related issue or exim one? -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ## |
|
|
[Bug 679] Problems with vacation_reply
by Bugzilla from nigel@exim.org
::
Rate this Message:
------- You are receiving this mail because: -------
You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=679 --- Comment #3 from Nigel Metheringham <nigel@...> 2008-03-05 13:57:26 --- so its the subject thats being padded with unknown data rather than just the db file? -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ## |
|
|
[Bug 679] Problems with vacation_reply
by Bugzilla from eximX1211@linuxwan.net
::
Rate this Message:
------- You are receiving this mail because: -------
You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=679 --- Comment #4 from Ted <eximX1211@...> 2009-02-14 16:43:27 --- ${length_X:$str} is safe. It does not modify the original memory and only returns a pointer to the start and either the length of the string or the length of the X. No chance of picking up random memory. Hold on - why is the ${length_50:$h_subject:} going anywhere near the database file?? The only thing logged to that file/db is the time and the to address. The subject, headers, text values are only being used in the reply message. To get random data from exim into database would require the to header to not be NULL terminated. Chances? -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ## |
|
|
[Bug 679] Problems with vacation_reply
by Bugzilla from nigel@exim.org
::
Rate this Message:
------- You are receiving this mail because: -------
You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=679 Nigel Metheringham <nigel@...> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #5 from Nigel Metheringham <nigel@...> 2009-10-19 12:28:28 --- Unable to take this forward with the amount of information we have. Marking as INVALID until/unless we get better information on exactly what the bug is... -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ## |
| Free embeddable forum powered by Nabble | Forum Help |
