[exim 0005317]: EXIM CVE-2018-6789

Mantis Bug Tracker noreply at opencsw.org
Wed Mar 21 09:28:59 CET 2018


A NOTE has been added to this issue. 
====================================================================== 
https://www.opencsw.org/mantis/view.php?id=5317 
====================================================================== 
Reported By:                barlavento
Assigned To:                
====================================================================== 
Project:                    exim
Issue ID:                   5317
Category:                   upgrade
Reproducibility:            unable to reproduce
Severity:                   major
Priority:                   normal
Status:                     new
====================================================================== 
Date Submitted:             2018-03-09 16:32 CET
Last Modified:              2018-03-21 09:28 CET
====================================================================== 
Summary:                    EXIM CVE-2018-6789
Description: 
CVE-2018-6789
=============

There is a buffer overflow in base64d(), if some pre-conditions are met.
Using a handcrafted message, remote code execution seems to be possible.

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.

Timeline (UTC)
--------------

* 2018-02-05 Report from Meh Chang <meh at devco.re> via exim-security mailing
list
* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
             CVE-2018-6789
* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
             mailing lists and on oss-security mailing list
* 2018-02-08 16:50 Grant restricted access to the security repo for
             distro maintainers
* 2018-02-09 One distro breaks the embargo
* 2018-02-10 18:00 Grant public access to the our official git repo.
====================================================================== 

---------------------------------------------------------------------- 
 (0011272) dam (administrator) - 2018-03-21 09:28
 https://www.opencsw.org/mantis/view.php?id=5317#c11272 
---------------------------------------------------------------------- 
Hi Eduardo,

mainly this patch needs to be forward-ported to be applicable to the
current version:
 
https://buildfarm.opencsw.org/source/xref/opencsw/csw/mgar/pkg/exim/trunk/files/0003-Set-OpenCSW-build-options.patch

If you could do that then it should be fairly easy.



More information about the bug-notifications mailing list