diff --git a/CVE-2023-51766.patch b/CVE-2023-51766.patch new file mode 100644 index 0000000000000000000000000000000000000000..23d5f38a097c2cb65f418b8b6710597ea08606a7 --- /dev/null +++ b/CVE-2023-51766.patch @@ -0,0 +1,81 @@ +From f172a89c065d732898181b0b3f8e7abdae533d06 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 9 Jul 2024 10:44:57 +0800 +Subject: [PATCH] Reject "dot, LF" as ending data phase. Bug 3063 + +--- + src/receive.c | 15 +++++++++++---- + src/smtp_in.c | 13 ++++++++----- + 2 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/src/receive.c b/src/receive.c +index 0a27c79..8639fa9 100644 +--- a/src/receive.c ++++ b/src/receive.c +@@ -1948,8 +1948,10 @@ for (;;) + + if (ch == '\n') + { +- if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE; +- else if (first_line_ended_crlf) receive_ungetc(' '); ++ if (first_line_ended_crlf == TRUE_UNSET) ++ first_line_ended_crlf = FALSE; ++ else if (first_line_ended_crlf) ++ receive_ungetc(' '); + goto EOL; + } + +@@ -1965,7 +1967,11 @@ for (;;) + if (f.dot_ends && ptr == 0 && ch == '.') + { + ch = (receive_getc)(GETC_BUFFER_UNLIMITED); +- if (ch == '\r') ++ if (ch == '\n' && first_line_ended_crlf == TRUE /* and not TRUE_UNSET */ ) ++ /* dot, LF but we are in CRLF mode. Attack? */ ++ ch = ' '; /* replace the LF with a space */ ++ ++ else if (ch == '\r') + { + ch = (receive_getc)(GETC_BUFFER_UNLIMITED); + if (ch != '\n') +@@ -2001,7 +2007,8 @@ for (;;) + ch = (receive_getc)(GETC_BUFFER_UNLIMITED); + if (ch == '\n') + { +- if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE; ++ if (first_line_ended_crlf == TRUE_UNSET) ++ first_line_ended_crlf = TRUE; + goto EOL; + } + +diff --git a/src/smtp_in.c b/src/smtp_in.c +index edb0adf..3119bad 100644 +--- a/src/smtp_in.c ++++ b/src/smtp_in.c +@@ -5432,15 +5432,18 @@ while (done <= 0) + } + + if (chunking_state > CHUNKING_OFFERED) +- rc = OK; /* No predata ACL or go-ahead output for BDAT */ ++ rc = OK; /* There is no predata ACL or go-ahead output for BDAT */ + else + { +- /* If there is an ACL, re-check the synchronization afterwards, since the +- ACL may have delayed. To handle cutthrough delivery enforce a dummy call +- to get the DATA command sent. */ ++ /* If there is a predata-ACL, re-check the synchronization afterwards, ++ since the ACL may have delayed. To handle cutthrough delivery enforce a ++ dummy call to get the DATA command sent. */ + + if (!acl_smtp_predata && cutthrough.cctx.sock < 0) +- rc = OK; ++ { ++ if (!check_sync()) goto SYNC_FAILURE; ++ rc = OK; ++ } + else + { + uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept"; +-- +2.27.0 + diff --git a/exim.spec b/exim.spec index 57707b0d2a18960d111daeb75533b3d5e131ef81..51a3ce25d089d9d061fc06a93c20f01aa6624846 100644 --- a/exim.spec +++ b/exim.spec @@ -4,7 +4,7 @@ Summary: The exim mail transfer agent Name: exim Version: 4.96 -Release: 1 +Release: 2 License: GPLv2+ Url: https://www.exim.org/ @@ -43,6 +43,7 @@ Patch3: exim-4.96-pic.patch Patch4: exim-4.96-opendmarc-1.4-build-fix.patch # https://bugs.exim.org/show_bug.cgi?id=2899 Patch5: exim-4.96-build-fix.patch +Patch6: CVE-2023-51766.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: setup @@ -482,5 +483,8 @@ fi %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Tue Jul 9 2024 technology208 - 4.96-2 +- Fix CVE-2023-51766 + * Tue Oct 18 2022 zhuchao - 4.96-1 -- DESC:Package init \ No newline at end of file +- DESC:Package init