[exim 0005317]: EXIM CVE-2018-6789
Mantis Bug Tracker
noreply at opencsw.org
Wed Mar 21 08:31:54 CET 2018
A NOTE has been added to this issue.
======================================================================
https://www.opencsw.org/mantis/view.php?id=5317
======================================================================
Reported By: barlavento
Assigned To:
======================================================================
Project: exim
Issue ID: 5317
Category: upgrade
Reproducibility: unable to reproduce
Severity: major
Priority: normal
Status: new
======================================================================
Date Submitted: 2018-03-09 16:32 CET
Last Modified: 2018-03-21 08:31 CET
======================================================================
Summary: EXIM CVE-2018-6789
Description:
CVE-2018-6789
=============
There is a buffer overflow in base64d(), if some pre-conditions are met.
Using a handcrafted message, remote code execution seems to be possible.
A patch exists already and is being tested.
Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.
Timeline (UTC)
--------------
* 2018-02-05 Report from Meh Chang <meh at devco.re> via exim-security mailing
list
* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
CVE-2018-6789
* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
mailing lists and on oss-security mailing list
* 2018-02-08 16:50 Grant restricted access to the security repo for
distro maintainers
* 2018-02-09 One distro breaks the embargo
* 2018-02-10 18:00 Grant public access to the our official git repo.
======================================================================
----------------------------------------------------------------------
(0011271) barlavento (reporter) - 2018-03-21 08:31
https://www.opencsw.org/mantis/view.php?id=5317#c11271
----------------------------------------------------------------------
Hello
I am willing to help. what is needed from me?
But maybe it is easier to just compile from the new source rather than
patch the old code?
Eduardo
More information about the bug-notifications
mailing list