19th Dec 2001 [SBWID-4936]
COMMAND
exim pipe
SYSTEMS AFFECTED
3.33 and previous
PROBLEM
Philip Hazel reported following :
The problem exists only in the case of a run time configuration which
directs or routes an address to a pipe transport without checking the
local part of the address in any way. This does not apply, for example,
to pipes run from alias or forward files, because the local part is
checked to ensure that it is the name of an alias or of a local user.
One kind of configuration where this may apply is one where all
incoming mail is sent straight to a virus checker by means of a pipe,
without inspecting the local parts of addresses. However, if
receiver_verify is turned on, and the director/router that is used for
the pipe has no_verify set, there may not be an exposure, because the
local parts are probably checked by the verification process even
though they are not checked at delivery time before being sent to the
pipe.
The bug is provoked by routing/directing an address whose local part
begins with a pipe symbol (vertical bar) to a pipe transport. That is
why any configuration in which local parts are first checked in some
way is not normally vulnerable (a local part starting with a pipe
symbol is normally invalid). The Exim 4 default configuration blocks
local parts that contain any of the characters @%!/| at SMTP time, as
it happens.
The bug\'s effect is that, instead of obeying the correct pipe command,
a broken Exim runs the command encoded in the local part.
SOLUTION
Upgrade to exim 3.34, or apply following patches :
----------------------------------------------------------------------------
This patch is for version 3.33. It should also work on all previous versions
back to 3.20.
*** exim-3.33/src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
the command is supplied as one of the pipe transport\'s options. */
! if (addr->local_part[0] == \'|\')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
the command is supplied as one of the pipe transport\'s options. */
! if (testflag(addr,af_pfr) && addr->local_part[0] == \'|\')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------
----------------------------------------------------------------------------
This patch is for versions before 3.20. It should work at least as far back as
release 3.12 (which was release on December 8, 1999). It may work on earlier
releases - if not, it is such a simple patch that you should be able to figure
out what to change by hand.
*** src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
the command is supplied as one of the pipe transport\'s options. */
! if (addr->local_part[0] == \'|\')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
the command is supplied as one of the pipe transport\'s options. */
! if (addr->pfr && addr->local_part[0] == \'|\')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
